“Safe” /tmp does not safe at all

D

Dmitriy Tarasov

Verified User
Joined
Nov 5, 2006
Messages
43
Hello.
I have /tmp mounted with noexec, nosuid so If I try to run file

test.sh:
#!/bin/sh
echo "running"

in the following way
/tmp/test.sh

I get
-bash: /tmp/test.sh: /bin/sh: bad interpreter: Permission denied

but If I run it so
/bin/sh /tmp/test.sh
I get
running

I have found script that prevent it. Here it is:
#!/bin/sh
DIR4PROTECT="/tmp"
for dir in `cat $DIR4PROTECT`;do
FILE2DELETE=`find $dir -perm +1111 -print`
for file in `echo $FILE2DELETE`;do
if [ -f $file ];then
chmod 0000 $file
chown root.root $file
fi
done
done

But when I run It I get:
Cat: /tmp: Is a directory
And nothing else.
I don not know shell programming.
Could you, please, advise me how to make that script working.
 
My OS is Red Hat Enterprise Linux ES release 4
With that script I try to chmod files that have permission 755 to 000 so nobody will be able to run them

This is content of my /etc/fstab
# This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/md0 / ext3 defaults,usrquota,grpquota 1 1
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
/dev/sdb2 swap swap defaults 0 0
/dev/sda2 swap swap defaults 0 0
/var/TmpFS /tmp ext3 loop,noexec,nosuid,rw 0 0
 
Dmitriy Tarasov said:
I have found script that prevent it. Here it is:
#!/bin/sh
DIR4PROTECT="/tmp"
for dir in `cat $DIR4PROTECT`;do
FILE2DELETE=`find $dir -perm +1111 -print`
for file in `echo $FILE2DELETE`;do
if [ -f $file ];then
chmod 0000 $file
chown root.root $file
fi
done
done

But when I run It I get:
Cat: /tmp: Is a directory
And nothing else.
I don not know shell programming.
Could you, please, advise me how to make that script working.
Click to expand...
I haven't studied it but at first glance the problem is you're trying to cat a directory. You can't do that; you can only cat a file. You can ls a directory and the script may work if you change catl to ls. I'm not sure because I didn't study it.

However if it does work it'll make all files in /tmp to be owned by root, and to not be readable, writable, or executable for anyone but root.

Which means whatever program needs files in /tmp to run won't run.

This is an issue of security vs usability. A lot of functionality on your server may cease should you run this script.

If you don't know what you're doing and why, don't do it.

Jeff
 
Well, thank you Jeff. This code works fine for me. It has effect only on files with permission 755 that situated in /tmp
It change permission of files in /tmp from 755 to 000 so hacker will not be able run his script. I run that script by cron every minute. It is a pity I can not run it more often.

#!/bin/sh
dir4pro="/tmp/*"
for dir in $dir4pro;do
FILE2DELETE=`find $dir -perm +1111 -print`
for file in `echo $FILE2DELETE`;do
if [ -f $file ];then
chmod 0000 $file
chown root.root $file
fi
done
done
 
A file with permissions 0000 cannot be read by anyone but root. For anyone except root It's not readable or writable.

Are you sure that's what you want?

Are you sure that works in every case?

I'm not, but I'm going to bring it to the attention of some people who know a bit more than I do, and see what they respond.

Jeff
 
I just want to prevent the possibility of running scripts from /tmp. Anyone can run script from /tmp in that way
sudo -u nobody /bin/sh /tmp/test.sh
or
sudo -u nobody /usr/bin/php -q /tmp/test.php
or may be like this
sudo -u nobody /usr/bin/perl /tmp/test.pl
 
Dmitriy Tarasov said:
I just want to prevent the possibility of running scripts from /tmp. Anyone can run script from /tmp in that way
sudo -u nobody /bin/sh /tmp/test.sh
or
sudo -u nobody /usr/bin/php -q /tmp/test.php
or may be like this
sudo -u nobody /usr/bin/perl /tmp/test.pl
Click to expand...


I agree with jlasman and also believe this can be achieved by a better way.
Depending on your OS its possible to secure your tmp dir for noexec.
 
The problem with noexec is it doesn't stop calling the file with perl, bash, php, etc., rather than directly. That was the point of the original post.

Here's one response I've gotten so far; it's from the Senior Network Engineer of a major regional ISP here in the US. This is from a gent I really trust.
> On a forum I read someone has suggested chmodding everything in /tmp as
> 0000 to protect from hackers.

Unplugging from the network or power will protect your server from hackers
too.

> In my understanding, then no one (not even the owner) can read the
> files.

Right...so anything that relies on /tmp for temporary storage will break
if you either chmod 000 /tmp or frequently do that to all files/dirs in
/tmp/.

> Can this possibly work without breaking a lot of services and programs
> that use /tmp?

Yeah. Make sure all your applications are setup to use their own separate
temp spaces rather than /tmp/. It may not be practical, but its probably
possible.
Click to expand...

Jeff
 
I'm not going to chmod everything in /tmp as 0000 only files that satisfy the condition
FILE2DELETE=`find $dir -perm +1111 -print`
 
Re: “Safe” /tmp does not safe at all

I also confirmed what's jeff said.
If you want to chmod all executable files in /tmp to 000 then you may break your system by yourselves, I recomend you to just clear executable bit out and chown root, how ever this will still break some process.

Example: some service create temp file in /tmp with execute bit set but not want to execute it
Then you chmod that file away from it's own eg from 0777 apache:apache filename to 0000 root:root filename then apache will can not read that file anymore.

If you mount /tmp with noexec then it's no meaning if any files have execute bit set or not because it will can not execute directly.
If it is a perl/php/sh script then it will still can run with perl/php/sh even it not have execute bit set, how ever it's will run under the user execute that script (user/apache,nobody/user) not as root.

I would suggest to do NOTHING
 
You must log in or register to reply here.
Back
Top