Linux Temporary file directory security Configuration instance

Source: Internet
Author: User
Tags configuration configuration instance create directory file files kernel linux

In a typical Linux system, at least two directories or partitions maintain temporary files. One of these is the/tmp directory, and TMP. In the newer Linux kernel system, there may also be SHM, which is loaded with the Tmpfs file system.

The problem with storing temporary files is that these directories can be a hotbed of zombies and rootkit that compromise system security. This is because in most cases, anyone (or any process) can write to these directories, as well as unsafe licensing issues. We know that all sticky bit, this bit can be understood as the anti-deletion bit. If you want users to be able to add files and not delete files at the same time, you can use the sticky bit bit for the file. After this bit is set, the file cannot be deleted even if the user has write permission to the directory. Most Linux distributions set the sticky bit on the temporary directory, which means that user A cannot purge a file that belongs to User B, and vice versa. However, depending on the permissions of the file itself, user A may be able to view and modify the contents of that file.

A typical Linux installation sets/tmp to mode 1777, which means it has a sticky bit set and can be read, written, and executed by all users. In most cases, this is as secure as it is set, mainly because the/tmp directory is only a directory, not a file system of its own. The/tmp directory depends on/partition, so it must also follow its mount options.

A more secure solution might be to set/TMP on its own partition so that it can be loaded independently of/partition, and can have more restrictive options. An example of the Fstab project for the/TMP partition looks like this:

/dev/sda7/tmp ext3 NOSUID,NOEXEC,NODEV,RW 0 0

This sets the Nosuid, Noexec, and nodev options, meaning that no suid program is allowed to perform anything from this partition, and no device files exist.

You can clear the TMP directory and create a symlink point to/tmp directory so that temporary files in TMP can take advantage of these restrictive mount options.

The SHM virtual file system also needs to be secure, which can be achieved by changing the fstab. Typically, SHM is loaded with the defaults option, which is not enough to guarantee its security. Like the fstab in/TMP, it should have more restrictive loading options:

None/dev/shm Tmpfs DEFAULTS,NOSUID,NOEXEC,RW 0 0

In a typical Linux system, at least two directories or partitions maintain temporary files. One of these is the/tmp directory, and TMP. In the newer Linux kernel system, there may also be SHM, which is loaded with the Tmpfs file system.

Finally, if you do not have the ability to create an up-to-date/TMP partition on an existing drive, you can use the loopback feature of the Linux kernel by creating a loopback file system that can be loaded AS/TMP and can use the same restricted load option. To create a 1GB loopback file system, you need to perform:

# dd If=/dev/zero OF=/.TMPFS bs=1024 count=1000000

# mke2fs-j/.TMPFS

# Cp-av/tmp/tmp.old

# Mount-o LOOP,NOEXEC,NOSUID,RW/.tmpfs/tmp

# chmod 1777/tmp

# mv-f/tmp.old/*/tmp/

# Rmdir/tmp.old

Once completed, you need to edit the fstab to automatically load the loopback file system at startup:

/.tmpfs/tmp ext3 LOOP,NOSUID,NOEXEC,RW 0 0

Ensuring proper licensing and using restrictive addition options can prevent many damage to the system. If a zombie has a home on a file system that can't be executed, it's inherently not worth worrying about.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.