Penguin

This trick is for multiuser boxes to try and ameliorate issues with people creating insecure temporary files (and to make it obvious which applications don't respect TMPDIR). The idea is to create a seperate directory for every user on the machine that's 700 to that user and point TMPDIR at it. I think that this idea could(/should?) be used by default by distributions. This can be extended to work for other services (eg apache).

Points for:

  • It helps to protect against abusers with exploited non-root services from leveraging a tmpfile exploit to gain a users account.
  • It reduces the effects of /tmp becoming large and therefore slow to search.

The first part of the script goes in /etc/skel/.bash_profile before you create user accounts:

 # Set up each users own temp directory (kinda)
 mkdir -p /tmp/$USER/create.$$ 2>/dev/null
 if [ -O /tmp/$USER ]; then
        TMPDIR=/tmp/$USER
 else
        TMPDIR=$(mktemp -d /tmp/${USER}.XXXXXX)
 fi

 touch $TMPDIR/.bash.$$
 [ -d $TMPDIR/create.$$ ] && rmdir $TMPDIR/create.$$

 TMP=$TMPDIR
 TEMP=$TMPDIR

 export TMPDIR TMP TEMP

Then in .bash_logout:

 rm $TMPDIR/.bash.$$
 rmdir $TMPDIR 2>/dev/null

This means that it will remove the directory when the last shell is closed and there are no more files in the directory.

The reason for creating then deleting $TMPDIR/create.$$, as some may wonder, is to make the mkdir an atomic operation that should stop any shell that is logging out as you log in, from removing $TMPDIR before a file is created within it ($TMPDIR/.bash.$$)

If users want scratch space to copy files between users etc, they can use /tmp directly as LinuxFromScratch suggests, however conformant programs should use TMPDIR which now places the files in /tmp/username or /tmp/username.uniqueid.

The current flaw with this script is that it doesn't detect if /tmp/username and all the possible /tmp/username.uniqueids have already been created by an attacker.

Alternatively the first script can be placed in /etc/profile.d/ and the .bash_logout script can be ignored and the directories can be removed regularly from cron if necessary.

Ideally Linux could transparently produce a unique /tmp/ for each $USER on the system, but that would break LinuxStandardsBase compiliance and many applications.


No no no no. Don't have the users fiddling things. That's prone to problems, since you need to grant them permissions to be able to do that. The right way is to have the Hand Of God set things up for the users in a directory structure they have no permissions in. Basic setup:

 mkdir -m 711 /tmp-safe /tmp-safe/user
 mkdir -m 1777 /tmp-safe/global
 chown root.root /tmp-safe /tmp-safe/user /tmp-safe/global
 ln -s /tmp /tmp-safe/global

Now once you have that in place, invoke the following script instead of login(1):

 #!/bin/sh
 # FIXME: assumes $1 == username, but login(1) takes options, so parse with getopts
 mkdir -m 700 /tmp-safe/user/"$1" /tmp/"$1"
 chown "$1":  /tmp-safe/user/"$1" /tmp/"$1"
 mount --bind /tmp-safe/user/"$1" /tmp/"$1" || exit 1
 exec /bin/login "$@"

Now /tmp and /tmp/$USER have nothing whatsoever to do with each other, and since the latter is merely a mountpoint, whatever permissions a preexisting directory at that location might have had doesn't matter in the slightest. You can have a process cd'ed to /tmp/$USER sitting in the background as long as the user is logged in. If unmounting the bind succeeds, you can delete /tmp-safe/user/$USER

Personally I might leave out the /tmp/$USER thing entirely and just point TMPDIR to /tmp-safe/user/$USER. (Do the simplest thing that could possibly work.) You'll have to have cron periodically vacuum the place then of course.

--AristotlePagaltzis


CategorySecurity