hardening /tmp
Roland Smith
rsmith at xs4all.nl
Sat Feb 11 09:49:33 UTC 2017
On Wed, Feb 08, 2017 at 10:22:48AM -0500, James B. Byrne via freebsd-questions wrote:
> How do most people handle hardening /tmp and /var/tmp on FreeBSD? I
> can get rid of /tmp from the file system and then simply mount it as a
> tmpfs in /etc/fstab.
>
> tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0
>
> However, /var/tmp is supposed to survive across reboots so how is this
> handled?
You cannot have noexec set on /tmp if you want to run “make installworld”!
You could make a separate partition/dataset for /var/tmp and mount that as
noexec/nosuid.
If you *really* want to harden your server, you should probably increase
the kern.securelevel sysctl. See security(7).
Roland
--
R.F.Smith http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170211/31d30e4e/attachment.sig>
More information about the freebsd-questions
mailing list