Hi List, I have my tmp directory on my / filesystem. Obviously executables are allowed for this filesystem. A friend of mine, though, claims that this can be a security problem because it helps attackers to run local exploits. From my point of view, it can do no more harm than an executable from an user's home directory. I am almost sure about that, but as I am not a guru I ask for further explanation. Is /tmp a danger if it can contains executables?? Note: I have to allow executables from users' home dir. Praise
On Tue, Nov 27, 2001 at 05:16:30PM +0100, Praise wrote:
Is /tmp a danger if it can contains executables?? Note: I have to allow executables from users' home dir.
Not really, since a hacker can run any file (or binary) even when it hasn't any executable-attribute set (ofcourse, the hacker should still have the permission to read the file). ~$ ls -l somefile -rw-r--r-- 1 nitro nitro 14011 Nov 27 17:35 somefile ~$ id uid=512(tus) gid=505(lusers) groups=505(lusers),10(wheel),21(slocate) ~$ file somefile somefile: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped ~$ ./somefile bash: ./somefile: Permission denied ~$ /lib/ld-linux.so.2 ./somefile Hello world! ~$ -- Unix, MS-DOS and Windows NT (also known as the Good, the Bad and the Ugly). ~(Matt Welsh)
Is /tmp a danger if it can contains executables?? You should move /tmp to a partition with nosuid option set (as well as /home). Then give each user his/her own /home/.../tmp dir and set $TMPDIR in login script. Configure screen (if you use screen), to use the users own tmp directory and not /tmp. This should be enough ...
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
* Praise wrote on Tue, Nov 27, 2001 at 17:16 +0100:
I have my tmp directory on my / filesystem. Obviously executables are allowed for this filesystem. A friend of mine, though, claims that this can be a security problem because it helps attackers to run local exploits.
For some script kiddies that may be true. But usually it's easy to run a tool from the home as well.
From my point of view, it can do no more harm than an executable from an user's home directory.
I think it's really the same.
Is /tmp a danger if it can contains executables?? Note: I have to allow executables from users' home dir.
If a user has no write permissions to any excuteable partitions, this would help a little, but evne then you can start every binary with the dyna linker ld-linux*, so it makes it not much harder to run a binary on such a partition. If you have the users to be allowed to executed own binaries somewhere, it completely equal if they crack via /tmp or their ~home. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
The reason is that /tmp and /var/tmp are WORLD WRITEABLE. ANYTHING (ANYTHING!) can write to them. Of course this is the whole point, a global scratch space. Why is this a risk? Many attacks will expose information/etc, being able to dump to /tmp is very convinient, especially for www based stuff/etc. Other reasons include getting a small amount of access, uploading files (to tmp) and exploiting a local hole to gain root or whatever. Another risk is an attacker filling up your / partition (where /tmp is unless it's a seperate partition usually...) which can cause a ton of grief, especially with seriously deep directory structures (like 100k dirs deep). http://www.seifried.org/lasg/installation/ -Kurt
participants (5)
-
Kurt Seifried -
Markus Gaugusch -
Praise -
Steffen Dettmer -
Sven Vermeulen