hardening /tmp

Trond Endrestøl Trond.Endrestol at fagskolen.gjovik.no
Wed Feb 8 16:11:04 UTC 2017 

On Wed, 8 Feb 2017 18:58+0300, Odhiambo Washington wrote:

> On 8 February 2017 at 18:43, Trond Endrestøl <Trond.Endrestol at fagskolen.
> gjovik.no> wrote:
> 
> > On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote:
> >
> > > How do most people handle hardening /tmp and /var/tmp on FreeBSD?  I
> > > can get rid of /tmp from the file system and then simply mount it as a
> > > tmpfs in /etc/fstab.
> > >
> > > tmpfs         /tmp        tmpfs   rw,nosuid,noexec,mode=01777 0     0
> > >
> > > However, /var/tmp is supposed to survive across reboots so how is this
> > > handled?
> >
> > If ZFS is an option, then create a separate dataset/filesystem for
> > /var/tmp, and set its quota to something sensible.
> >
> > If UFS is your (only) option, then create a separate partition of
> > reasonable size and mount that as your /var/tmp.
> >
> > You can also consider a filebacked mfs of a certain size for your
> > /var/tmp.
> 
> What are we mitigating? A situation where some bad guy fills /tmp and
> collapses the system/ Or a situation where a bad guy manages to access our
> /tmp and uses it to launch his scripts?
> I remember this hardening subject from years back, so I googled "freebsd
> security hardeng" and found so much being discussed, including even a port
> that was specifically made to achieve the same, as you can read from
> https://linux-audit.com/freebsd-hardening-lynis/

One scenario might include user access to said system(s), where some 
of the (ab)users might hoard the available disk space. This scenario 
also includes quota being used for the regular home directories.

Unix was originally created for small teams of developers, and such 
bunches of people are far easier to handle than a whole college 
department full of (ab)users.

I'm sorry for punching up the language and for hijacking the thread.

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+

More information about the freebsd-questions mailing list