The News‎ > ‎

Ubuntu performance and security of /tmp

posted Oct 18, 2013, 12:06 PM by Leigh Williams   [ updated Oct 18, 2013, 12:36 PM ]
Remember to set the sticky bit as well as nodev, noexec and nosuid for /tmp. Here is a line in fstab and the meaning of these 3 taken from the mount man page:

nodev Do not interpret character or block special devices on
the file system.

noexec Do not allow execution of any binaries on the mounted
file system. This option might be useful for a server
that has file systems containing binaries for architec-
tures other than its own.

nosuid Do not allow set-user-identifier or set-group-identifier
bits to take effect. (This seems safe, but is in fact
rather unsafe if you have suidperl(1) installed.)

Sticky bit def taken from Oracle:
If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This special permission prevents a user from deleting other users' files from public directories such as /tmp

Fstab entry:
tmpfs /tmp tmpfs defaults,noatime,noexec,nosuid,nodev, size=512M,mode=1777 0 0

If you need and like your temp files then do not do this!

Comments