Secure /tmp folder on Debian

Published by Pierre-Yves Landuré on

The /tmp folder can be used to compromise the system security. A simple way to prevent this issue is to prevent the execution of scripts stored in this path. This guide describe how to do this.

This howto is tested on:

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze
  • Debian 10.0 Buster

Settings

Set the path where to block the scripts execution:

noexecPath='/tmp'

Set the path where to store the loopback file:

loopbackPath='/var/lib/tmpfs/tmp.fs'

Set the size of the loopback file (in Giga bytes):

loopbackSize='1'

Set the file system used to format the loopback file:

loopbackFs='ext4'

Installation

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Remove trailing spaces from provided $noexecPath:

noexecPath="$(command sed -e 's|/*$||g' <<< "${noexecPath}")"

Create a path where to loopback file used as /tmp filesystem will be stored:

${cmdProxy} mkdir --parent "$(command dirname "${loopbackPath}")"

Create a empty file that will be used to store /tmp contents (this can take a few seconds):

${cmdProxy} dd if='/dev/zero' of="${loopbackPath}" \
    bs=1024 count=$(( ${loopbackSize} * 1000000 ))

Format the file using the choosen filesystem:

${cmdProxy} mkfs --type "${loopbackFs}" -F "${loopbackPath}"

Add the mount point settings to ‘fstab’ file:

${cmdProxy} tee -a '/etc/fstab' \
  <<< "${loopbackPath} ${noexecPath} ${loopbackFs} loop,noexec,nosuid,nodev,rw 0 0"

Detect the current path permissions:

currentOwner="$(command stat -c '%U:%G' "${noexecPath}")"
currentPermissions="$(command stat -c '%a' "${noexecPath}")"

Activate the new filesystem with the noexec option (by moving out of the way the currently used /tmp to prevent perturbations):

${cmdProxy} mv "${noexecPath}" "${noexecPath}.old" \
&& ${cmdProxy} mkdir "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} mount "${noexecPath}" \
&& ${cmdProxy} chown "${currentOwner}" "${noexecPath}" \
&& ${cmdProxy} chmod "${currentPermissions}" "${noexecPath}" \
&& ${cmdProxy} find "${noexecPath}.old" -mindepth 1 -maxdepth 1 \
    -exec mv '{}' "${noexecPath}" \; \
&& ${cmdProxy} rm -r "${noexecPath}.old"

Configure APT to enable script execution from the path during upgrades:

${cmdProxy} tee '/etc/apt/apt.conf.d/90noexectmp' \
 <<< "DPkg
{
  Pre-Invoke { \"mount -o 'remount,exec' '${loopbackPath}'\" };
  Post-Invoke { \"mount -o 'remount,noexec' '${loopbackPath}' || true\" };
};"

Le répertoire temporaire ne peut maintenant plus être utilisé pour exécuter des scripts.

Uninstallation

To undo the changes described by this post, disable the created mount point:

${cmdProxy} sed -i -e "/${loopbackPath//\//\\\/}/d" '/etc/fstab'

Remove the APT settings:

${cmdProxy} rm '/etc/apt/apt.conf.d/90noexectmp'

Reboot the system to apply the change:

${cmdProxy} reboot

Do not forget to manually remove the useless loopback file.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Security

Setup a SFTP server on Debian

SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.

Security

Install Rootkit Hunter (rkhunter) on Debian

Rootkit Hunter is, as its name describe, a rootkits detection tool. It can detect if a system has been compromised. It is a required tool for checking a system health. This guide describe how to configure rkhunter on Debian.

Security

Block DFind vulnerability scanner using IPtables

DFind is the vulnerability scanner generating the "w00tw00t.at.ISC.SANS.DFind" HTTP requests found in Web servers logs. This guide setup some iptables rules blocking these requests. A better method is to use fail2ban to block the sources of these requests.