Making /tmp Safe
Bear Giles | April 6, 2011Another quick security tip. Many attacks depend on being able to copy a file or script onto the system and executing it. The only places the average user is guaranteed to be able to write a file is their home directory and /tmp.
No user, with the possible exception of developers, needs exec or suid permissions in their home directory. The /home partition should always be mounted ‘noexec,nosuid,nodev’ unless there’s a compelling reason to allow local execution. Such as, alas, the MyEclipse IDE which installs in the user’s home directory by default.
The /home partition should never have suid permission.
The /tmp partition is a little more complicated. You generally don’t want to execute anything out of your /tmp partition… but the standard Debian/Ubuntu installers will occasionally need to do this. The problem is you never know which packages will require this and it’s easy to forget to change mount options, twice, every time you install or upgrade a package.
There’s a simple solution. Create a file called /etc/apt/apt.conf.d/local-tmp-noexec with the following content:
DPkg
{
Pre-Invoke { "mount -o remount,exec /tmp" };
Post-Invoke { "mount -o remount,noexec,nosuid,nodev /tmp" };
};
This will automatically remount the /tmp partition with exec permission before installing packages, then remove that permission once the package is installed. I also remove the ‘nosuid’ and ‘nodev’ permissions just in case they were somehow enabled.
Finally it’s usually a good idea to mount /tmp on a tmpfs device instead of a physical location. This may not be possible if you have applications that consume massive amounts of /tmp space but as a general rule you’ll get a huge performance gain with minimal problems. At most you’ll want to add some extra memory and/or use a larger than standard swap partition.