| View previous topic :: View next topic |
| Author |
Message |
KAA
n00b
Joined: 12 Jul 2002
Posts: 14
Location: Kyiv
|
 Posted: Wed Apr 06, 2005 9:29 am Post subject: how can I restrict creation of executables in /tmp ? |
 |
|
Hello all
My question is simple - is there any way to restrict creation of executable files in /tmp to some users ?
thanks in advance ;o)
_________________
--
wbr, kaa |
|
| Back to top |
|
 |
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Wed Apr 06, 2005 10:01 am Post subject: |
|
|
Not AFAIK, but I normally make /tmp a distinct partition add use the noexec option in /etc/fstab - there should be no reason for executables in /tmp anyways (other than rootkits ... )
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
KAA
n00b
Joined: 12 Jul 2002
Posts: 14
Location: Kyiv
|
| Posted: Wed Apr 06, 2005 10:27 am Post subject: |
|
|
| MrUlterior wrote: | | Not AFAIK, but I normally make /tmp a distinct partition add use the noexec option in /etc/fstab - there should be no reason for executables in /tmp anyways (other than rootkits ... ) |
thanx, good idea, but I do not have space for another partition, and it's remote production server - no way to resize existing ones...
any other good tips? ;o)
_________________
--
wbr, kaa |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Wed Apr 06, 2005 12:00 pm Post subject: |
|
|
A second (inelegant) solution might be to move tmp somewhere else (different name) then add something like:
| Code: | | /mnt/tmp /tmp bind noexec 0 0 |
To /etc/fstab
then
| Code: | mkdir /tmp
mount /tmp
|
Which will have the same effect but is largely only securing /tmp by obscuring its real (exec allowed) location.
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
KAA
n00b
Joined: 12 Jul 2002
Posts: 14
Location: Kyiv
|
| Posted: Wed Apr 06, 2005 1:35 pm Post subject: |
|
|
ok, I managed to make separated partition for /tmp and it's being showed by mount like "auto,rw,noexec"
does it guaranty that 755 files there can't be executed even though I still can create such files there?
sorry for my strange english, I'm trying to express myself in most understandable way, but it doesn't always work - springtime, you know 
_________________
--
wbr, kaa |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Wed Apr 06, 2005 1:51 pm Post subject: |
|
|
| KAA wrote: | ok, I managed to make separated partition for /tmp and it's being showed by mount like "auto,rw,noexec"
does it guaranty that 755 files there can't be executed even though I still can create such files there? |
As far as I know, yes. But the best test would be:
| Code: | cd /tmp
echo "#!/bin/bash" > test.sh
echo "echo "Something Wrong!" >> test.sh
chmod 0700 /tmp/test.sh && ./test.sh
|
And hope it doesn't work 
| KAA wrote: |
sorry for my strange english, I'm trying to express myself in most understandable way, but it doesn't always work - springtime, you know |
Hehe, no worries.
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
KAA
n00b
Joined: 12 Jul 2002
Posts: 14
Location: Kyiv
|
| Posted: Wed Apr 06, 2005 2:07 pm Post subject: |
|
|
everything fine, you solved my problem
thanks a lot
_________________
--
wbr, kaa |
|
| Back to top |
|
|
|
Networking & Security
