You are here: Home / Debian GNU/Linux / System / Security / Secure the temporary folder on Debian

Secure the temporary folder on Debian

by Pierre-Yves Landuré last modified Nov 11, 2017 09:31

The /tmp folder can be used to compromised the system security. A simple and efficient way to protect the system is to prevent the execution of scripts present in this folder.

This howto is tested on:

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze

Installation

Create a folder to contain the loopback partition replacing /tmp:

command mkdir '/var/lib/tmpfs'

Create a 1 GB empty file (this can take several seconds):

command dd if='/dev/zero' of='/var/lib/tmpfs/tmp.fs' bs=1024 count=1000000

Create a ext3 file system on the loopback file :

command mkfs.ext3 -F '/var/lib/tmpfs/tmp.fs'

Add a /tmp line to the fstab file :

command echo "/var/lib/tmpfs/tmp.fs /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" \
>> '/etc/fstab'

These commands limit the disturbances encountered by the softwares using the temporary folder :

command mv '/tmp' '/tmp.old'
command mkdir '/tmp'
command mount '/tmp'
command mv '/tmp.old/*' '/tmp/'
command mv '/tmp.old/.*' '/tmp/'
command rm -r '/tmp.old'

Adjust the temporary folder rights :

command chmod ugo+rwx '/tmp'

Adjust the apt configuration to the protected temporary folder :

command echo 'DPkg
{
Pre-Invoke { "command mount /tmp -o remount,exec" };
Post-Invoke { "command mount /tmp -o remount,noexec || true" };
};' > '/etc/apt/apt.conf.d/90mount'

The temporary folder can not be used to run script.

Uninstallation

To remove the settings installed by this article, disable the mount point :

command sed -i -e '/\/var\/lib\/tmpfs\/tmp.fs/d' '/etc/fstab'

Reboot the system (mandatory to disable the temporary mount):

command reboot

Delete the configuration files:

command rm '/etc/apt/apt.conf.d/90mount' \
           '/var/lib/tmpfs/tmp.fs'

Thanks

  • Thanks to fighting_falcon for his help with apt configuration.
  • Thanks to Kevin for his howto "Secure your /tmp folder".