Changing /tmp permission

Hi everybody !

First of all excuse me for my English it is quite bad.

I'd like to secure my tmp directory. I know I could make a partition
for this directory with noexec,nosuid,nodev, but I'd like to be more
secure.

I don't want that any users can access to my /tmp directory. So I'd
like to have permissions like 770 instead of 777. I know that many
applications need to write in /tmp directory, so I would like to
create a group named tmp for example where I would add users that need
to write in this directory. Instead of authorizing all users, I want
to limit access to only a determined group of users. So I have to
change group owner of /tmp to become tmp group instead of root group.

There is still a problem with that and the sticky bit. How can I
forbid access to deleting files that we don't own ?

Are there some behaviors or difficulties that I don't think about ?

Thank you in advance !

Bill

On Thu, 24 Jul 2008 02:40:03 -0700 (PDT),
billdangerous-at-gmail.com wrote:
[making use of /tmp a privilege governed by a tmp group]
> There is still a problem with that and the sticky bit. How can I
> forbid access to deleting files that we don't own ?

Why are you trying to re-invent the wheel (by annoying all your users)?

What gains do you envision, and why can they not be achieved through
conventional, functioning means?


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

In comp.unix.admin, billdangerous-at-gmail.com wrote:

> Hi everybody !
>
> First of all excuse me for my English it is quite bad.
>
> I'd like to secure my tmp directory. I know I could make a partition
> for this directory with noexec,nosuid,nodev, but I'd like to be more
> secure.
>
> I don't want that any users can access to my /tmp directory. So I'd
> like to have permissions like 770 instead of 777. I know that many
> applications need to write in /tmp directory,

What is a "user", other than an application running under a specific (e)uid
and (e)gid? Many user-run applications create and access files in /tmp, and
will not work without access to /tmp. Even legitimate user-run shell
scripts create and access files in /tmp.

> so I would like to
> create a group named tmp for example where I would add users that need
> to write in this directory.

So, you intend to all all shell users? If not, then you break some user's
legitimate use of applications.

> Instead of authorizing all users, I want
> to limit access to only a determined group of users. So I have to
> change group owner of /tmp to become tmp group instead of root group.
>
> There is still a problem with that and the sticky bit. How can I
> forbid access to deleting files that we don't own ?

By enabling the sticky bit on the /tmp directory, you ensure that only the
descendant file's owning uid can delete or rename the file.

> Are there some behaviors or difficulties that I don't think about ?

Yes. Generally, the steps you are taking to "secure" your system will,
instead, break it. You /really/ need to learn how to administer your system
before you start "optimizing" or "securing" it.

I recommend that you at least read
- "Operating Systems - Design and Implementation"
by Andrew Tanenbaum and Albert Woodhull
- "Linux in a Nutshell"
by Ellen Siever, Stephen Figgins & Aaron Weber
- "Linux Security Cookbook"
by Daniel Barrett, Richard Silverman & Robert Byrnes
- "Building Secure Servers with Linux"
by Michael Bauer
and look into taking a /good/ course in Unix system administration at your
local college first.

--
Lew Pitcher

Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/ | GPG public key available by request
---------- Slackware - Because I know what I'm doing. ------

Well, thanks for these replies...

My goal is to limit access to tmp directory. It's not a choice for me,
it's only a guideline...

I'm not annoying my "users" because no real users are connected on the
device, only applications. All are running with different users, with
very specific permissions because these applications are not trusty. I
know that a better solution would be to chroot them but I can't
because of hierarchical decisions... I can't use ACL neither.

The applications developed are not using tmp directory, only two of
them need it. So the others don't need tmp directory access. Like a
firewall, everything that is not needed by an application shall be
forbidden in my environment.

You can say that's a bad idea, that's I'm a beginner in unix if you
want I just have to do that.

Thanks again

Bill

On Thu, 24 Jul 2008 06:55:04 -0700 (PDT),
billdangerous-at-gmail.com wrote:
> Well, thanks for these replies...
>
> My goal is to limit access to tmp directory. It's not a choice for me,
> it's only a guideline...

``Only a guideline''? If that means you do have the choice wether to go
ahead with implementing this ``plan'', then ditch it now.


> I'm not annoying my "users" because no real users are connected on the
> device, only applications. All are running with different users, with
> very specific permissions because these applications are not trusty.

(I think you mean ``trustworthy'', as ``trusty'' means those programs
would do the trusting.)


> I know that a better solution would be to chroot them but I can't
> because of hierarchical decisions... I can't use ACL neither.

So, you're trying to secure the house by stuffing the chimney because
you don't have permission to put actual locks on the doors and windows?


> The applications developed are not using tmp directory, only two of
> them need it. So the others don't need tmp directory access. Like a
> firewall, everything that is not needed by an application shall be
> forbidden in my environment.

Plenty of firewalls only filter some things and leave the rest alone.
Plenty other ``firewalls'' make windows full of angry colours pop up
in the user's face and bother him with some nitwitty mention that the
user has no idea what it is about and can only conclude that since the
``firewall'' software pops it up it must be baaaad. Thus ending up
blocking ICMP or DNS or somesuch and maybe they'll even send angry mails
about ``hacking'' to, oh, the operators of the root name servers or
something. The term for such behaviour is GWF -- Goober With Firewall.


Any security measure, which includes firewalls, can be used responsibly,
or it can be horribly abused, leading to security circus and no actual
increase in security. But it gets worse:

One of the basic tenets of security is that a false sense of security
is _worse_ than having no security at all and being aware of it.

So, doing ill-adviced things that don't actually help do in fact worsen
your security. Knowing this, do you still want to go ahead and do silly
things that don't help your security, in the name of security?


> You can say that's a bad idea, that's I'm a beginner in unix if you
> want I just have to do that.

Then it's your job to tell your boss (in detail, with reasons) it's a
bad idea and doesn't actually help achieve the stated goal, but in fact
will cause problems and create a worsened security situation.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

billdangerous-at-gmail.com wrote:
> Hi everybody !
>
> First of all excuse me for my English it is quite bad.
>
> I'd like to secure my tmp directory. I know I could make a partition
> for this directory with noexec,nosuid,nodev, but I'd like to be more
> secure.

noexec,nosuid is certainly okay,
and nodev is perhaps ok (e.g. will break certain X-servers).

>
> I don't want that any users can access to my /tmp directory. So I'd
> like to have permissions like 770 instead of 777. I know that many
> applications need to write in /tmp directory, so I would like to
> create a group named tmp for example where I would add users that need
> to write in this directory. Instead of authorizing all users, I want
> to limit access to only a determined group of users. So I have to
> change group owner of /tmp to become tmp group instead of root group.
>

Don't!
Must be 1777

> There is still a problem with that and the sticky bit. How can I
> forbid access to deleting files that we don't own ?

chmod +t

>
> Are there some behaviors or difficulties that I don't think about ?
>

Yes, 95% of all applications including the shell use /tmp.


--
echo imhcea\.lophc.tcs.hmo |
sed 's2\(....\)\(.\{5\}\)2\2\122;s1\(.\)\(.\)1\2\11g;1 s;\.;::;2'