Securing /home/tmp

[MtK]

Hey,
would it be a bad idea to create a symlink:

/home/tmp --> /tmp

so it would be more secure...?

 

[Dougy]

Bad idea.

You should have /tmp mounted with custom options in fstab that you don't want on /home.

 

[MtK]

Bad idea.

You should have /tmp mounted with custom options in fstab that you don't want on /home.

Please re-read my post again...

 

[nobaloney]

@Dougy:

Such as? And why?

@MtK:

What user Dougy is writing is that if you point /home/tmp to /tmp you'll be using /tmp's mount options for /home/tmp. Dougy believes this is unwise. I've asked him to explain.

Jeff

 

[MtK]

@Dougy:

Such as? And why?

@MtK:

What user Dougy is writing is that if you point /home/tmp to /tmp you'll be using /tmp's mount options for /home/tmp. Dougy believes this is unwise. I've asked him to explain.

Jeff

actually, this is exactly my question.
I already have /tmp as a partition with special mount options...

 

[Dougy]

@Dougy:

Such as? And why?

@MtK:

What user Dougy is writing is that if you point /home/tmp to /tmp you'll be using /tmp's mount options for /home/tmp. Dougy believes this is unwise. I've asked him to explain.

Jeff

/tmp should at least be mounted with nosuid,noexec.

PS: Jeff, take a look over at my ssl thread

 

[MtK]

/tmp should at least be mounted with nosuid,noexec.

and why should I want to allow user's to upload through DA's file manager something that could run from /home/tmp ?!

 

[nobaloney]

/tmp should at least be mounted with nosuid,noexec.

And why can't /home/tmp be redirected to a /tmp partition with the same restrictions?

PS: Jeff, take a look over at my ssl thread

Why? I read evey post made to DirectAdmin forums. Why should I pay special attention to this one now? If you're pointing out a response to my question, then please be so kind as to let me know in which post.

Thanks.

Jeff

 

[nobaloney]

and why should I want to allow user's to upload through DA's file manager something that could run from /home/tmp ?!

You've lost me. I don't see how a user can upload into /home/tmp.

Jeff

 

[Arieh]

What is /home/tmp exactly being used for? If I search around a bit its (probably among other things) used for DA backups. If a user can't access it, then whats the reason for wanting to secure it?

 

[MtK]

You've lost me. I don't see how a user can upload into /home/tmp.

Jeff

when a user uploads something through DA's file manager, it uses /home/tmp (or whatever tmp directory set in configuration) to upload the file until moved to its final destination.

I don't want anything being "accidentally" left in /home/tmp and if it happens at least have it secured to prevent it from executing (like my real /tmp partition).

 

[floyd]

I don't want anything being "accidentally" left in /home/tmp and if it happens at least have it secured to prevent it from executing (like my real /tmp partition).

If it is a interpreted script it can still be executed even in a secured /tmp. Its done by simply putting the interpreter name in front of it. A perl script can be run in secured /tmp as "perl /tmp/script.pl" There is nothing you can do to prevent that.

 

[MtK]

If it is a interpreted script it can still be executed even in a secured /tmp. Its done by simply putting the interpreter name in front of it. A perl script can be run in secured /tmp as "perl /tmp/script.pl" There is nothing you can do to prevent that.

OK, but do you agree that /tmp is probably more secure than /home/tmp ?
and if I already have a tmp directory on the server there is no reason to maintain a second one...

 

[floyd]

OK, but do you agree that /tmp is probably more secure than /home/tmp ?

Yes I agree. However do not be fooled into thinking that its actually secure. And I do not know what DA might actually try to run from /home/tmp. It could create problems.

I know I had problems with installing some stuff because of /tmp being secure. I think it was pecl installing stuff. I know I secured /tmp and then later it was directly responsible for problems I had when installing software and I immediately remove it. The problem I had is in the forum here somewhere.

 

[floyd]

Found the problem I had because of securing /tmp.

[root@server /]# pecl install zip
downloading zip-1.8.10.tgz ...
Starting to download zip-1.8.10.tgz (66,972 bytes)
.................done: 66,972 bytes
58 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
/usr/local/bin/phpize: /tmp/pear/cache/zip-1.8.10/build/shtool: /bin/sh: bad interpreter: Permission denied
Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF
environment variable is set correctly and then rerun this script.

ERROR: `phpize' failed

http://www.directadmin.com/forum/showthread.php?t=29608&page=2

 

[MtK]

Found the problem I had because of securing /tmp.

[root@server /]# pecl install zip
downloading zip-1.8.10.tgz ...
Starting to download zip-1.8.10.tgz (66,972 bytes)
.................done: 66,972 bytes
58 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
/usr/local/bin/phpize: /tmp/pear/cache/zip-1.8.10/build/shtool: /bin/sh: bad interpreter: Permission denied
Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF
environment variable is set correctly and then rerun this script.

ERROR: `phpize' failed

http://www.directadmin.com/forum/showthread.php?t=29608&page=2

well,
unsecure the /tmp partition, install whatever you (the owner/admin) need, and re-secure it again.
you don't want the average hacker to be able to un/install stuff too, right?


as for DA, maybe a reply from the staff could shed some light into this...

 

[floyd]

you don't want the average hacker to be able to un/install stuff too, right?

The average hacker cannot install anything anyway regardless of the state of /tmp.

I have nothing against somebody else securing /tmp. Yes it will make it slightly more secure. I am just saying don't be fooled into thinking that you don't have to worry about /tmp anymore.

The average hacker runs stuff in /tmp as "perl /tmp/script.pl" because they already know that most people have /tmp secured so they do not even try with "/tmp/script.pl"

When the above happens you are going to asking "How could this happen? I had /tmp secured."

 

[MtK]

The average hacker cannot install anything anyway regardless of the state of /tmp.

I have nothing against somebody else securing /tmp. Yes it will make it slightly more secure. I am just saying don't be fooled into thinking that you don't have to worry about /tmp anymore.

The average hacker runs stuff in /tmp as "perl /tmp/script.pl" because they already know that most people have /tmp secured so they do not even try with "/tmp/script.pl"

When the above happens you are going to asking "How could this happen? I had /tmp secured."

yes, and I'm saying why worry about 2 places, when one (/tmp) is clearly enough...

 

[floyd]

yes, and I'm saying why worry about 2 places, when one (/tmp) is clearly enough...

I believe you to be correct. But I again I do not know all the things DA might try to do in /home/tmp so if you have any problems with DA that you have never had before this should be the first place to look.

Sometimes I digress and give more information than was asked.

 

[MtK]

I believe you to be correct. But I again I do not know all the things DA might try to do in /home/tmp so if you have any problems with DA that you have never had before this should be the first place to look.

Sometimes I digress and give more information than was asked.

appreciate the info

let's now wait for DA's insight...