From owner-freebsd-questions@freebsd.org Wed Feb 8 15:44:11 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EC08CD512A for ; Wed, 8 Feb 2017 15:44:11 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.fagskolen.gjovik.no", Issuer "Fagskolen i Gj??vik" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E0EF3F20 for ; Wed, 8 Feb 2017 15:44:10 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.15.2/8.15.2) with ESMTPS id v18FhkZT070691 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 8 Feb 2017 16:43:46 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.15.2/8.15.2/Submit) with ESMTP id v18Fhk6c070688; Wed, 8 Feb 2017 16:43:46 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Wed, 8 Feb 2017 16:43:46 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Sender: Trond.Endrestol@fagskolen.gjovik.no To: byrnejb@harte-lyne.ca cc: FreeBSD-questions@freebsd.org Subject: Re: hardening /tmp In-Reply-To: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> Message-ID: References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.fig.ol.no Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2017 15:44:11 -0000 On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote: > How do most people handle hardening /tmp and /var/tmp on FreeBSD? I > can get rid of /tmp from the file system and then simply mount it as a > tmpfs in /etc/fstab. > > tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0 > > However, /var/tmp is supposed to survive across reboots so how is this > handled? If ZFS is an option, then create a separate dataset/filesystem for /var/tmp, and set its quota to something sensible. If UFS is your (only) option, then create a separate partition of reasonable size and mount that as your /var/tmp. You can also consider a filebacked mfs of a certain size for your /var/tmp. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-questions@freebsd.org Wed Feb 8 15:59:16 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA5E8CD588F for ; Wed, 8 Feb 2017 15:59:16 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B89ED17AC for ; Wed, 8 Feb 2017 15:59:16 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-qk0-x235.google.com with SMTP id s186so126651836qkb.1 for ; Wed, 08 Feb 2017 07:59:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=; b=pkgzwAckhVHVq1waf2vsPkUR7cBbn5ZHy2+k6ZPAuzMZKwLs5Kq4NtYiPW4elisI9j Gsepb/dP8LMqg6fkMJ10Pq0b+K2ZMhExodlXD/AE4L2ngfN4xYpNmVHFNftOylWxqGoA m+pK7HfBr93RiO+ejxCNcgSePkiHCH61MNVm8uTzhy3hqBAIMZokyd+DivgVEapi0EXg Rc88R5bn9+uZ0+EuTfyeyLkTrR0+V+Ef4uEDy5QfT8gbpnCFzeeh8cpWpSlkTD0isg/W tL0aJvvE14cYBpVLbGByunCnkxuz5WQfjApFvOcUfFdPPjobpMfheuijeEV/YUj3BI58 YLdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=; b=aCSdpF1TSv57gDdf4N67HCTN+84SzdHXqjm+wPq8nnBQP+X+fc3cmcl4At+33FbzAY 5RChQoL5bbE1QJc2/iE/OSlB9rtjRyK5mBCVOAnSHwlNO5YNPwFh68ZdM8590t4Swfc3 hZzd++VTjhs5M4NjhHJtipsEn9fL7GJoRCmFZgv2u7QvgA2Swi2x6dp2K8uu8s1IZGJQ i6LwFSsyL00G96N7R5z94p2H8kMUPKGuE2q8BZgvYaaNWJi0KdGw6Gg3+kACBqSnxv2P 2Q8a9y1C6BkEAxMpR1SGzhhaWrw603IYUbzFzXHiAlnuseTkBaYOrdXTXqaEPHVpBRFJ NVVg== X-Gm-Message-State: AMke39nsUU59GeMoA6P6uN90CcPjRgZUZao9I49EBtSxb8nUfYM4UeuAuoBF7WMLlLq7Ze5hNv8QrgyCM/xTGA== X-Received: by 10.55.210.70 with SMTP id f67mr19869414qkj.304.1486569555230; Wed, 08 Feb 2017 07:59:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.55.215.135 with HTTP; Wed, 8 Feb 2017 07:58:34 -0800 (PST) In-Reply-To: References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> From: Odhiambo Washington Date: Wed, 8 Feb 2017 18:58:34 +0300 Message-ID: Subject: Re: hardening /tmp To: User Questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2017 15:59:17 -0000 On 8 February 2017 at 18:43, Trond Endrest=C3=B8l wrote: > On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote= : > > > How do most people handle hardening /tmp and /var/tmp on FreeBSD? I > > can get rid of /tmp from the file system and then simply mount it as a > > tmpfs in /etc/fstab. > > > > tmpfs /tmp tmpfs rw,nosuid,noexec,mode=3D01777 0 0 > > > > However, /var/tmp is supposed to survive across reboots so how is this > > handled? > > If ZFS is an option, then create a separate dataset/filesystem for > /var/tmp, and set its quota to something sensible. > > If UFS is your (only) option, then create a separate partition of > reasonable size and mount that as your /var/tmp. > > You can also consider a filebacked mfs of a certain size for your > /var/tmp. > > -- > +-------------------------------+------------------------------------+ > | Vennlig hilsen, | Best regards, | > | Trond Endrest=C3=B8l, | Trond Endrest=C3=B8l, = | > | IT-ansvarlig, | System administrator, | > | Fagskolen Innlandet, | Gj=C3=B8vik Technical College, Norway, = | > | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | > | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | > What are we mitigating? A situation where some bad guy fills /tmp and collapses the system/ Or a situation where a bad guy manages to access our /tmp and uses it to launch his scripts? I remember this hardening subject from years back, so I googled "freebsd security hardeng" and found so much being discussed, including even a port that was specifically made to achieve the same, as you can read from https://linux-audit.com/freebsd-hardening-lynis/ --=20 Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."