Locking down /tmp to protect against automated and "script kiddie" exploits

Introduction

The most common way systems are compromised are through web applications. An excellent example of this is phpBB. Users install phpBB on your shared web server. It works, so they leave it. 6 months later, 3 exploits that allow code execution are found in phpBB but the user on your shared web server isn't concerned with security. You get an email from the feds telling you your server has been taking part in a DDoS.

If you've ever seen such an exploit, they usual create a botnet and search for other vulnerable applications on other servers and compromise those. The one thing that's common to all these types of exploits is that they need somewhere to write files to. Where is the most obvious place that will exist on all UNIX systems? You've got it! /tmp

How?

We can utilise the "noexec" and "nosuid" options when mounting a filesystem. As "noexec" suggestions, anything inside the mount point with this option can't be executed. "nosuid" disallows the use of any SUID file.

If you've got /tmp as a separate partition

Simply add the "noexec,nosuid" options to the line that mounts /tmp in your /etc/fstab. Remount /tmp using "mount -o remount /tmp" and you're done.

If you haven't got /tmp as a separate partition

We can fool Linux in to thinking we have.

`

  1. dd if=/dev/zero of=/tmp.img count=1 bs=100M
  2. mke2fs -j /tmp.img

`

We've created an EXT3 filesystem inside /tmp.img that's 100Mb. We now need to remove /tmp for a little bit. Look inside /tmp and stop any services that are using files in there.

`

  1. mv /tmp /tmp_old
  2. mkdir /tmp
  3. chmod 700 /tmp

`

Why chmod /tmp 700? Because it's a mount point. If /tmp.img isn't mounted there we don't want people using it, hence the chmod 700. And now to test:

`

  1. mount -o loop,noexec,nosuid,rw /tmp.img /tmp
  2. chmod 1777 /tmp

`

/tmp.img should now be mounted on /tmp. Ensure it's what you expected by using "df -h" and "mount". Copy /bin/sh in to /tmp and try to execute it. It shouldn't work which is what we want.

We now need to modify /etc/fstab to automatically mount /tmp when the system boots:

/tmp.img    /tmp            ext3    loop,noexec,nosuid,rw   0       2

And lastly, move everything in /tmp_old to /tmp, restart the services that were stopped, and remove /tmp_old.

Notes

Note that using "noexec" doesn't stop execution of files 100%. There is a workaround but we're talking about mitigating automated and "script kiddie" style exploits from doing nasty stuff to your system. They don't yet use the workaround so we're safe for the time being.

Also note there is /var/tmp and /var/lock. You may want to do the same for this but once again, I've not seen any automated exploits that make use of /var/tmp or /var/lock.

Be aware that sometimes APT and similar applications can write files to /tmp and execute them as part of post/pre installation processes. Having "noexec" will disrupt this and could cause you problems. For APT you can change the configuration file so it'll remount /tmp without "noexec,nosuid" and put it back to normal once it's finished. This is documented in various places on the Internet.

Some applications will read the environment variable TMPDIR to find the location of the tmp directory use. Some set it to ~/tmp so that sensitive information about a user's usage, isn't world visible.


Page written by DavidRamsden

Security/LockDownTmp (last edited 2006-05-29 01:17:56 by 81)