SUMMARY: Protecting /tmp from creating setuid files

From: Toth-Abonyi Mihaly (M.Toth-Abonyi@cc.u-szeged.hu)
Date: Wed Nov 20 1996 - 04:35:02 CST


Original question:

> Dear Gurus,
>
> Recently, I've received a few letters about how to create
> setuid to root shells by normal users.
> I want to protect our SPARCcenter from such attacks,
> and I can set the nosuid mount option for publicly writable
> ufs file systems.
> But what about /tmp ? Should it contain setuid files ?
> Is it necessary to mount it on swap as a tmpfs filesystem,
> or it is just a convention of Sun ?
> Is it possible for example not to mount /tmp on swap just simply create
> a link, say, to /var/tmp ?
>
> Is my idea reasonable ? Do you have any experience or working
> solution ?

My question was based upon the assumption that tmpfs filesystems
are not mountable as nosuid (I read "man mount_tmpfs" which does
not mention the possibility to give options to the mount command
for tmpfs filesystems).

That assumption is false, as Casper Dik wrote:
>You can use "nosuid" on tmpfs filesystems (post Solaris 2.3).

The majority of the responders answered that /tmp may be mounted
on an ufs file system as well, but it is not worth. Tmpfs is faster,
and the swap area is generally large enough to hold /tmp.

Regarding security bugs, my idea to mount /tmp and other
publicly writable filesystems as nosuid is not a solution.

As Casper Dik pointed out:
>I assume you're referring to the sendmail 8.7/8.8 "smtpd" bug?
>That's a problem, but you can't attack this through /tmp. These shells
>can be created anywhere.

Many thanks to
Casper Dik <casper@holland.Sun.COM>
edd@acm.org (Edgar Der-Danieliantz)
"Matt Hill" <MHILL@graver.com>
Rich Kulawiec <rsk@itw.com>
Glenn Satchell - Uniq Professional Services <Glenn.Satchell@Uniq.com.au>
for their help and also to
Herbert Wengatz <hwe@uebemc.siemens.de>
for his answer.

Regards,
Mihaly Toth-Abonyi
System administrator,
Szeged, Hungary



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT