I noticed after my install that the tmp directory was
A- not a sticky B- still executable
I went and changed etc/fstab to add loop,noexec,nosuid,rw, which I hope is the right thing to do. I rebooted and it looks like it worked.
When doing an ls -l on the main directory, the tmp folder lit up all green in putty (cool, I hope)
But the chmods I did with winscp will not take effect (they do on other directories) so I manually ran chmod 1777 on the tmp folder.
Since centos seems to be pretty good at pre configuration, I am concerned that maybe I should not do this, but every security book says to do it.
I am imagining I will be okay, and I hope if it is right, that others on the list that do not know about this, make the change. Especially if running a webserver.
Right or wrong?
Bob Hoffman <> scribbled on Monday, September 15, 2008 8:18 AM:
But the chmods I did with winscp will not take effect (they do on other directories) so I manually ran chmod 1777 on the tmp folder.
Did you do a Ctrl-R to refresh the view in WinSCP?
I've been caught with that a few times before... 8-)
Hi Bob,
On Mon, Sep 15, 2008 at 02:18, Bob Hoffman bob@bobhoffman.com wrote:
I noticed after my install that the tmp directory was A- not a sticky
Then there must be something wrong with your install, because all stock installs of CentOS I have done so far will create /tmp as sticky directory.
B- still executable
You mean permissions? chmod +x? Because it is supposed to have executable permissions.
If you mean mounted with noexec, that's different, that's something that is not done by default on CentOS. That is something that can be done only if /tmp is created as a separate partition, but that is not something that everybody does, and I think the default partitioning in CentOS is to keep /tmp on the root filesystem. There are advantages and disadvantages to both approach, you should choose yours.
By the way, to do it by default, this is what I use in the ks.cfg I use to kickstart install my machines:
logvol /tmp --vgname=raidvol --name=tmp --size=4096 --fstype=ext3 --fsoptions="nodev,nosuid,noexec"
I'm still concerned with the fact that you said on your install it was not sticky, because on all my installs, even if I create /tmp as a different filesystem with fsoptions, it is created as a sticky directory. Could you re-check that please?
Filipe
On Mon, Sep 15, 2008 at 16:23, nate centos@linuxpowered.net wrote:
Filipe Brandenburger wrote:
If you mean mounted with noexec, that's different, that's something that is not done by default on CentOS. That is something that can be
Not to mention noexec is fairly worthless on linux anyways since you can easily bypass it.
And the fact that SELinux provides a much better protection for this kind of security issues and exploits.
Filipe
If you mean mounted with noexec, that's different, that's something that is not done by default on CentOS. That is something that can be
Not to mention noexec is fairly worthless on linux anyways since you can easily bypass it.
So /dev/VolGroup00/LogVol00 /tmp ext3 loop,noexec,nosuid,rw 0 0
Is useless to do? What about chmod so that no one can execute anything, rw-rw-rw- ? Then no executes via chmod. If so, what a waste of time working on this...lol
Bob Hoffman wrote:
So /dev/VolGroup00/LogVol00 /tmp ext3 loop,noexec,nosuid,rw 0 0
Is useless to do? What about chmod so that no one can execute anything, rw-rw-rw- ? Then no executes via chmod.
hmm, well it seems it works now, for the longest time you could just run /lib/ld-linux.so.2 for dynamic executables, but I just tested it on centos 4.6 and 5.1 and it seems it does block it.
If so, what a waste of time working on this...lol
Maybe not so much, sorry bout that :) but as another poster mentioned if your really paranoid about security SELinux is probably the best way to go.
nate
On Mon, 2008-09-15 at 16:43 -0400, Bob Hoffman wrote:
<snip>
Is useless to do? What about chmod so that no one can execute anything, rw-rw-rw- ? Then no executes via chmod. If so, what a waste of time working on this...lol
As Ralph said, x on directories does no mean what you seem to think it does. It controls whether a process can change into that directory. E.g. you can access a file anywhere in the directory (or it's subdirectories) and execute it (if permissions and type are right) but you cannot "cd dir" if it has no x on it. Further, all higher level dirs need to have x as well.
<snip sig stuff>
Then there must be something wrong with your install, because all stock installs of CentOS I have done so far will create /tmp as sticky directory.
B- still executable
You mean permissions? chmod +x? Because it is supposed to have executable permissions.
Perhaps my winscp undid the sticky. Even now when I view permissions with winscp the sticky is blank. If I check the box and change it, then go to the shell and pull up permissions, sticky is gone. So perhaps my winscp is configured wrong or just does not work with the extra chmods of sticky and perhaps suid and the such.
Executable meaning noexec and all that. I added the line in my etc/fstab and I would assume it is fine. But it was not installed that way.
/dev/VolGroup00/LogVol00 /tmp ext3 loop,noexec,nosuid,rw 0 0
Of course it is on a separate partition. I want to make the server secure as I can on that part. Keeping people from executing stuff and overloading temp is a prime concern.
logvol /tmp --vgname=raidvol --name=tmp --size=4096 --fstype=ext3 --fsoptions="nodev,nosuid,noexec"
I'm still concerned with the fact that you said on your install it was not sticky, because on all my installs, even if I create /tmp as a different filesystem with fsoptions, it is created as a sticky directory. Could you re-check that please?
I wish there was a way to recheck without a fresh install. Perhaps cause I mounted it on a new partition, perhaps playing with permissions I did it. Heck, I am concerned that the tmp directory is executable.. 1777 without the noexec and stuff.. That is something most new users would not know about. I think that is a very important security step to button the server up... As far as I know.
I will be doing a fresh install in a few months when I can afford a new computer, to build a detailed how to, and will post if it was not sticky or not.
-
Bob Hoffman -
Filipe Brandenburger -
nate -
Ralph Angenendt -
Sorin@Gmail -
William L. Maltby