Secure the temporary folder on Debian
The /tmp folder can be used to compromised the system security. A simple and efficient way to protect the system is to prevent the execution of scripts present in this folder.
This howto is tested on:
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
Installation
Create a folder to contain the loopback partition replacing /tmp:
command mkdir '/var/lib/tmpfs'
Create a 1 GB empty file (this can take several seconds):
command dd if='/dev/zero' of='/var/lib/tmpfs/tmp.fs' bs=1024 count=1000000
Create a ext3 file system on the loopback file :
command mkfs.ext3 -F '/var/lib/tmpfs/tmp.fs'
Add a /tmp line to the fstab file :
command echo "/var/lib/tmpfs/tmp.fs /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" \
>> '/etc/fstab'
These commands limit the disturbances encountered by the softwares using the temporary folder :
command mv '/tmp' '/tmp.old'
command mkdir '/tmp'
command mount '/tmp'
command mv '/tmp.old/*' '/tmp/'
command mv '/tmp.old/.*' '/tmp/'
command rm -r '/tmp.old'
Adjust the temporary folder rights :
command chmod ugo+rwx '/tmp'
Adjust the apt configuration to the protected temporary folder :
command echo 'DPkg
{
Pre-Invoke { "command mount /tmp -o remount,exec" };
Post-Invoke { "command mount /tmp -o remount,noexec || true" };
};' > '/etc/apt/apt.conf.d/90mount'
The temporary folder can not be used to run script.
Uninstallation
To remove the settings installed by this article, disable the mount point :
command sed -i -e '/\/var\/lib\/tmpfs\/tmp.fs/d' '/etc/fstab'
Reboot the system (mandatory to disable the temporary mount):
command reboot
Delete the configuration files:
command rm '/etc/apt/apt.conf.d/90mount' \
'/var/lib/tmpfs/tmp.fs'
Thanks
- Thanks to fighting_falcon for his help with apt configuration.
- Thanks to Kevin for his howto "Secure your /tmp folder".