Securing the /tmp directory


The /tmp directory on Linux is a place where anyone can write temporary files. This includes the user the web browser is running as, same with a mail server, etc...

The problem with this is a "blackhat" can possibly bypass security and create and arbitrarily modify some systems parts if you are not careful. Thus, the /tmp directory should specifically not allow exec (execution), suid (set UID to root) or dev (creating Devices).

On systems not secured by selinux, this can only be done via the mount options, which means you must have a separate partition for the /tmp directory. It can then be mounted as:

/dev/sda3       /tmp              ext3  noexec,nosuid,nodev           0       2

Creating a separate disk based partition is not my preference, so in addition I create /tmp as a ramdisk, meaning it resides in memory only (a good thing as it generally contains small files). In many cases, 100M of memory is sufficient.

/dev/ram       /tmp              ramfs  noexec,nosuid,nodev,size=100M     0       0

This will create a RAMDisk of maximum of 100 Meg, and mount it with the proper permissions on /tmp. Note: Ramdisks only use the amount of space they require, so the 100M above is basically the upper limit of storage. Leaving the size parameter off completely results in a partition that has a maximum size defined by your startup scripts

Last update:
2012-10-14 00:52
Author:
Rod
Revision:
1.0
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.

Records in this category

Tags