The /tmp folder can be used to compromise the system security. A simple way to prevent this issue is to prevent the execution of scripts stored in this path. This guide describe how to do this.
This howto is tested on:
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
- Debian 10.0 Buster
Settings
Set the path where to block the scripts execution:
noexecPath='/tmp'
Set the path where to store the loopback file:
loopbackPath='/var/lib/tmpfs/tmp.fs'
Set the size of the loopback file (in Giga bytes):
loopbackSize='1'
Set the file system used to format the loopback file:
loopbackFs='ext4'
Installation
Detect if sudo is available (“command” is used if not):
cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'
Remove trailing spaces from provided $noexecPath:
noexecPath="$(command sed -e 's|/*$||g' <<< "${noexecPath}")"
Create a path where to loopback file used as /tmp filesystem will be stored:
${cmdProxy} mkdir --parent "$(command dirname "${loopbackPath}")"
Create a empty file that will be used to store /tmp contents (this can take a few seconds):
${cmdProxy} dd if='/dev/zero' of="${loopbackPath}" \
bs=1024 count=$(( ${loopbackSize} * 1000000 ))
Format the file using the choosen filesystem:
${cmdProxy} mkfs --type "${loopbackFs}" -F "${loopbackPath}"
Add the mount point settings to ‘fstab’ file:
${cmdProxy} tee -a '/etc/fstab' \
<<< "${loopbackPath} ${noexecPath} ${loopbackFs} loop,noexec,nosuid,nodev,rw 0 0"
Detect the current path permissions:
currentOwner="$(command stat -c '%U:%G' "${noexecPath}")"
currentPermissions="$(command stat -c '%a' "${noexecPath}")"
Activate the new filesystem with the noexec option (by moving out of the way the currently used /tmp to prevent perturbations):
${cmdProxy} mv "${noexecPath}" "${noexecPath}.old" \
&& ${cmdProxy} mkdir "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} mount "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} find "${noexecPath}.old" -mindepth 1 -maxdepth 1 \
-exec mv '{}' "${noexecPath}" \; \
&& ${cmdProxy} rm -r "${noexecPath}.old"
Configure APT to enable script execution from the path during upgrades:
${cmdProxy} tee '/etc/apt/apt.conf.d/90noexectmp' \
<<< "DPkg
{
Pre-Invoke { \"mount -o 'remount,exec' '${loopbackPath}'\" };
Post-Invoke { \"mount -o 'remount,noexec' '${loopbackPath}' || true\" };
};"
Le répertoire temporaire ne peut maintenant plus être utilisé pour exécuter des scripts.
Uninstallation
To undo the changes described by this post, disable the created mount point:
${cmdProxy} sed -i -e "/${loopbackPath//\//\\\/}/d" '/etc/fstab'
Remove the APT settings:
${cmdProxy} rm '/etc/apt/apt.conf.d/90noexectmp'
Reboot the system to apply the change:
${cmdProxy} reboot
Do not forget to manually remove the useless loopback file.
0 Comments