The /tmp folder can be used to compromise the system security. A simple way to prevent this issue is to prevent the execution of scripts stored in this path. This guide describe how to do this.

This howto is tested on:

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze
  • Debian 10.0 Buster

Settings

Set the path where to block the scripts execution:

noexecPath='/tmp'

Set the path where to store the loopback file:

loopbackPath='/var/lib/tmpfs/tmp.fs'

Set the size of the loopback file (in Giga bytes):

loopbackSize='1'

Set the file system used to format the loopback file:

loopbackFs='ext4'

Installation

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Remove trailing spaces from provided $noexecPath:

noexecPath="$(command sed -e 's|/*$||g' <<< "${noexecPath}")"

Create a path where to loopback file used as /tmp filesystem will be stored:

${cmdProxy} mkdir --parent "$(command dirname "${loopbackPath}")"

Create a empty file that will be used to store /tmp contents (this can take a few seconds):

${cmdProxy} dd if='/dev/zero' of="${loopbackPath}" \
    bs=1024 count=$(( ${loopbackSize} * 1000000 ))

Format the file using the choosen filesystem:

${cmdProxy} mkfs --type "${loopbackFs}" -F "${loopbackPath}"

Add the mount point settings to ‘fstab’ file:

${cmdProxy} tee -a '/etc/fstab' \
  <<< "${loopbackPath} ${noexecPath} ${loopbackFs} loop,noexec,nosuid,nodev,rw 0 0"

Detect the current path permissions:

currentOwner="$(command stat -c '%U:%G' "${noexecPath}")"
currentPermissions="$(command stat -c '%a' "${noexecPath}")"

Activate the new filesystem with the noexec option (by moving out of the way the currently used /tmp to prevent perturbations):

${cmdProxy} mv "${noexecPath}" "${noexecPath}.old" \
&& ${cmdProxy} mkdir "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} mount "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} find "${noexecPath}.old" -mindepth 1 -maxdepth 1 \
    -exec mv '{}' "${noexecPath}" \; \
&& ${cmdProxy} rm -r "${noexecPath}.old"

Configure APT to enable script execution from the path during upgrades:

${cmdProxy} tee '/etc/apt/apt.conf.d/90noexectmp' \
 <<< "DPkg
{
  Pre-Invoke { \"mount -o 'remount,exec' '${loopbackPath}'\" };
  Post-Invoke { \"mount -o 'remount,noexec' '${loopbackPath}' || true\" };
};"

Le répertoire temporaire ne peut maintenant plus être utilisé pour exécuter des scripts.

Uninstallation

To undo the changes described by this post, disable the created mount point:

${cmdProxy} sed -i -e "/${loopbackPath//\//\\\/}/d" '/etc/fstab'

Remove the APT settings:

${cmdProxy} rm '/etc/apt/apt.conf.d/90noexectmp'

Reboot the system to apply the change:

${cmdProxy} reboot

Do not forget to manually remove the useless loopback file.

Categories: Security

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.