LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

Notes on the Viacom ruling

LWN.net Weekly Edition for July 3, 2008

More DTrace envy

LWN.net Weekly Edition for June 26, 2008

Symbian to be another open mobile platform

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Secure temporary files in Linux (ZDNet India)

[Posted March 10, 2008 by jake]

ZDNet India has some tips on securing /tmp and friends on Linux. "One problem with directories meant to store temporary files is that they can often be targeted as places to store bots and rootkits that compromise the system. This is because in most cases, anyone (or any process) can write to these directories."
(Log in to post comments)

Secure temporary files in Linux (ZDNet India)

Posted Mar 10, 2008 21:37 UTC (Mon) by ballombe (subscriber, #9523) [Link] 

I fail to see why a bot would ever need to create executable in /tmp.
Beside, this is trivial to bypass: just upload a script foo and run
sh -c foo or perl foo.

So, what is the point ?

Secure temporary files in Linux (ZDNet India)

Posted Mar 10, 2008 23:49 UTC (Mon) by jreiser (subscriber, #11027) [Link]

A particular bot might be able to function without creating an executable in /tmp, but doing so may be convenient for the bot writer. For instance, such code is readily available, small, etc. Some systems/environments/users do not have sh or perl visible in $PATH.

Secure temporary files in Linux (ZDNet India)

Posted Mar 11, 2008 0:10 UTC (Tue) by Fishwaldo (subscriber, #47595) [Link] 

I dont' think its a issue of preventing a bot creating a executable, but preventing the bot
getting on 
the system in the first place.

Lots of exploits out there target webapps, and bot/worm authors know that regardless of what 
distribution the target systems are running, /tmp is always available and writable... so thats
where 
they dump their bots and then execute them. (for good, well documented examples, have a look
at 
the phpbb worms that were around about a year ago..)

The noexec might stop 1/2 (guestimate) of existing bots/worms out there, but then there are
tons 
of perl or shell based bots as well that it probably wont stop.

To me, this is more of a problem of lazy admins looking for easy ways out. As long as you keep
you 
systems up todate then you shouldn't need to worry about bots targetting /tmp in the first
place 

(of course, its a different story for webhosts, but then this type of stuff is part of the
game)

Senseless drivel

Posted Mar 10, 2008 21:59 UTC (Mon) by kraftcheck (subscriber, #35072) [Link] 

Why security problems does it solve to mount /tmp as nosuid,noexec,nodev? This is more
restrictive, but is it needlessly so rather than more secure?  The 'nodev' option is
meaningless, because only root may create device nodes and if one is root, then remounting
/tmp without the nodev option is not a problem.  'nosuid' is redundant if 'noexec' is
specified.  Why 'noexec'?  How does it in any way enhance the security of the system to
prevent a user from running an application in /tmp if the user can just run it out of their
home directory instead? 

The article mentions the fact that it is often possible for users to read each other's files
in /tmp (an issue with umask and individual applications, rather than with /tmp.)  But the
suggested solution doesn't address this issue at all.

The article suggests that users may create a private directory for temporary files mounted as
a loopback device if they don't have sufficient privileges to make changes to /tmp.  What is
the point of that?  Most people aren't interested in imposing additional restrictions only on
themselves.  Any application the user runs can easily bypass this anyway (e.g. create a new
loopback mount of the same file or remount the loopback with different options.)  Or just
write the temp files to /tmp instead of the user's personal temporary directory.

Security benefits of noexec?

Posted Mar 10, 2008 22:06 UTC (Mon) by epa (subscriber, #39769) [Link] 

It would be an inconvenience to a bot author if they couldn't create and run their own
executables anywhere on the system (so all filesystems mounted either readonly or noexec).
But perl is perfectly capable, so while existing bots distributed as a binary executable
wouldn't work, it's not a serious obstacle.

Out of interest, is it possible to implement a simple exec() in user space?

Security benefits of noexec?

Posted Mar 10, 2008 22:12 UTC (Mon) by ballombe (subscriber, #9523) [Link] 

Do you mean /lib/ld-linux.so.2 ? then yes.
cp /bin/ls /tmp
chmod a-x /tmp/ls
/lib/ld-linux.so.2 /tmp/ls

Security benefits of noexec?

Posted Mar 11, 2008 9:02 UTC (Tue) by Wummel (subscriber, #7591) [Link] 

The /lib/ld-linux.so flaw has been fixed in recent (2.6.24 iirc) kernels:
$ /lib/ld-linux.so.2 /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared
object: Operation not permitted

Security benefits of noexec?

Posted Mar 10, 2008 22:34 UTC (Mon) by jamesm (subscriber, #2273) [Link]

Just run perl.

Security benefits of noexec?

Posted Mar 10, 2008 23:24 UTC (Mon) by nix (subscriber, #2304) [Link] 

It's trivial to do with mmap (PROT_EXEC). Just look at the implementation 
of the dynamic linker, which has to do all of this stuff anyway.

mmap and PROT_EXEC

Posted Mar 11, 2008 0:00 UTC (Tue) by jreiser (subscriber, #11027) [Link] 

mmap() and mprotect() involving PROT_EXEC are not necessarily trivial when Security Enhanced
Linux (SELinux) is present.  In particular, in some environments it is reasonable to attempt
to enforce the policy: "Any instruction ever executed must be fetched from the unchanging
PROT_EXEC pages of the following explicit list of files."  Accurate implementation of this
policy is a successful defense against many exploits.

mmap and PROT_EXEC

Posted Mar 11, 2008 12:36 UTC (Tue) by nix (subscriber, #2304) [Link] 

Yes, SELinux can plug this hole (although it might be annoying to do so).

simple exec() in user space

Posted Mar 10, 2008 23:32 UTC (Mon) by jreiser (subscriber, #11027) [Link]

Yes, it is possible to implement a simple exec() in user space; it takes about 1.4KB of code on x86. For instance: UPX (http://upx.sourceforge.net)

Security benefits of noexec?

Posted Mar 11, 2008 10:35 UTC (Tue) by PaXTeam (subscriber, #24616) [Link] 

> Out of interest, is it possible to implement a simple exec() in user space?

check out grugq's ul_exec in http://www.phrack.org/issues.html?issue=62&id=8

Senseless drivel

Posted Mar 10, 2008 23:27 UTC (Mon) by nix (subscriber, #2304) [Link] 

The article actually manages to not discuss the single largest threat 
posed by /tmp (on a system with untrusted local users, at least): /tmp 
races. Perhaps that's because there's no simple method a sysadmin can use 
to fix them all without possibly breaking something else...

Also, its recommendation to symlink /var/tmp to /tmp is premature: it 
should first discuss the differing purposes and lifetime rules of /tmp 
versus /var/tmp (files in the latter should survive a reboot, and some 
programs, e.g. vi, rely on this behaviour). That this wasn't even 
mentioned in passing makes me wonder if the article's author knows 
that /tmp and /var/tmp have differing purposes at all...

Senseless drivel

Posted Mar 10, 2008 23:34 UTC (Mon) by sholdowa (guest, #34811) [Link] 

Couldn't agree more!

I just wish that there was some way to get PHBs to realise that outsourcing to this level of
knowledge might actually not be that good an idea!.

Senseless drivel

Posted Mar 11, 2008 9:49 UTC (Tue) by wingo (subscriber, #26929) [Link]

I believe that this comment is racist, effectively saying "don't trust Indians".

Besides that, as a minor second point, I don't think that the author has anything to do with outsourcing.

Senseless drivel

Posted Mar 11, 2008 13:26 UTC (Tue) by paragw (subscriber, #45306) [Link] 

But it doesn't look that bad an idea when compared to the basic incompetence and childishness 
your comment shows - grow up, RTFA before posting racist comments that try to prove a point on

your agenda, realize that "ZdNet India" !necessarily= "Article Written by some one in India
working 
for a outsourcing company".

why noexec

Posted Mar 10, 2008 23:44 UTC (Mon) by jreiser (subscriber, #11027) [Link] 

Some exploits involve exec(), and mounting /tmp as noexec closes one avenue of attack: those
exploits that attempt to exec from /tmp [and nowhere else].  Some local policies mount /home
as noexec for the same reason.  Some local policies restrict mount(), such as by requiring
root or CAP_SYS_ADMIN.

Secure temporary files in Linux (ZDNet India)

Posted Mar 11, 2008 10:40 UTC (Tue) by roblucid (subscriber, #48964) [Link] 

Reading the comments first, I expected the article to be much worse than 
it was.  Yes it's not complete, but it was written as a 1 tricky pony not 
everything you would ever need to know about /tmp but were too afraid to 
ask.

The basis for seperate /tmp and restrictive mount options, is the 
principal of least privilege.  The service daemons frequently are run with 
their own user ID and without write permission on any directories, so 
someone finding a way to run a command, is very likely looking for 
somewhere to upload code as a step towards privilege escalation.

Those suggesting it's pointless to take security measures, because they 
can ultimately be circumvented aren't looking at the practicalities of 
your typical attack.

Soft targets are hit, hardened systems are too time consuming, and limit 
the damage doable before detection and counter measures.  Only a complete 
optimist believes their system is un-crackable.

As for differences between /var/tmp and /tmp, it's something I wish 
application developers would make use of.  KDE likes to spend time 
creating per-user semi-temporary sockets, so the gain of using TMPFS 
for /tmp is reduced by relatively slow time to rebuild cleaned out stuff 
in /tmp.

Secure temporary files in Linux (ZDNet India)

Posted Mar 12, 2008 14:17 UTC (Wed) by vdanen (subscriber, #48453) [Link] 

This is actually quite amusing.  For one, I never wrote this for ZDNet Asia.  The original is
for 
TechRepublic: http://blogs.techrepublic.com.com/opensource/?p=171

It's also not an all-or-nothing solution, but part of an overall solution (you know... the
little pieces).  
To think that securing /tmp is all you can do is laughable.  But it's a valid part... it's
called defense 
in depth.

Likewise, the unfortunate thing for writing these tips is that they have restrictive word
counts so 
while I could have written a lot more info, the space constraints are actually quite small so
if 
something could use, say, 1000 words, I've got to cram it into 400, which makes things
challenging 
and doesn't leave much room for lots of explanation.

I suppose a disclaimer might have been useful... something along the lines of "if you think
this is all 
you need to do to secure your system, you're an idiot", but somehow I don't think my editor
would 
have liked that.

Secure temporary files in Linux (ZDNet India)

Posted Mar 12, 2008 21:34 UTC (Wed) by nix (subscriber, #2304) [Link] 

I didn't think of word counts. That explains a lot, I suppose, and your 
choice of topics was reasonable given horrible word count limits.

(But, er, why have word count limits at all for web pages? It's not as if 
it uses up too much paper, or as if a longer document would run anyone out 
of disk space... but that's not something you can fix.)

word count limits

Posted Mar 13, 2008 3:47 UTC (Thu) by jreiser (subscriber, #11027) [Link] 

One reason for a word count limit: space on the screen (especially the first screenful), to
leave room for more ads.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.