Many people (including the Securing Debian Manual) recommend mounting /tmp with the noexec,nodev,nosuid set of options. This is generally presented as one element of a 'defense-in-depth' strategy, by preventing the escalation of an attack that lets someone write a file, or an attack by a user with a legitimate account but no other writable space.
Over time, however, I've encountered arguments (most prominently by Debian/Ubuntu Developer Colin Watson) that noexec is a useless measure, for a couple potential reasons:
- The user can run
/lib/ld-linux.so <binary>in an attempt to get the same effect. - The user can still run system-provided interpreters on scripts that can't be run directly
Given these arguments, the potential need for more configuration (e.g. debconf likes an executable temporary directory), and the potential loss of convenience, is this a worthwhile security measure? What other holes do you know of that enable circumvention?
Here are the arguments for utility I've come up with so far:
Modern kernels fix the
/lib/ld-linux.sohole, so that it won't be able to map executable pages from anoexecfilesystem.The interpreters point is certainly still a concern, though I think less of one than people might claim. The reasoning I can come up with is that there have been numerous privilege escalation vulnerabilities that relied on making particular malformed syscalls. Without an attacker providing a binary, it would be much harder to make evil syscalls. Also, script interpreters should be unprivileged (I know this has historically sometimes not been the case, such as with an suid perl), and so would need their own vulnerability to be useful in an attack. Apparently, it is possible to use Python, at least, to run some exploits.
Many 'canned' exploits may try to write and run executables in
/tmp, and sonoexecreduces the probability of falling to a scripted attack (say in the window between vulnerability disclosure and patch installation).Thus, there's still a security benefit to mounting
/tmpwithnoexec.As described in Debian's bug tracker, setting
APT::ExtractTemplates::TempDirinapt.confto a directory that is notnoexecand accessible to root would obviate the debconf concern.add the following to /etc/apt.conf, or, /etc/apt/apt.conf.d/50remount
Many Debian packages require /tmp to be executable in order for the package to install. These are often marked as bugs (of 'normal'/'wishlist' severity):
https://www.google.com/#q=site:bugs.debian.org+noexec+/tmp
I received just this error while installing an updated kernel to the stable branch just today.
So it looks like Debian (& derivatives?) is not ready for /tmp to be mounted noexec...
Even though workarounds exist for most supplementary security measures you might choose to implement, even the most easily circumvented security measures (such as mounting /tmp noexec or running SSH on an alternate port) will thwart automated or scripted attacks that rely on the defaults in order to function. It won't protect you against a determined and knowledgeable attacker, but well over 99% of the time, you won't be up against a determined or knowledgeable attacker. Instead, you'll be defending yourself against an automated attack script.
First: It covers many, different attack cases. Turning it off because there was a few known ways around it (some of which even fixed) is weird. Attackers downloading code to
/dev/shmor/tmpis a common thing they do.Defense in depth is about securing most common waypoints, each that stops them makes your system more survivable. Not safe. But it'll also have a chance. If they can't fetch their secondary payload, that is a pretty good chance you're getting.
The point is to make it as hard as you easily can, and cut out 99% of the attacks.
Second: It stops bad practice (running stuff from temp, doing major application installs via
/tmpinstead of a user tmpdir), leaving data in/tmp. Custom installers usually do understand TMPDIR Also: even if not: installation time, as a point-in-time action, is not a valid reason to turn off a security issue permanently.Third: Considering anonymous namespaces in
/tmp(a "feature"), you really want to restrict what's put there and run from there.Fourth: Convenience is not a relevant factor in this. Assuming we run servers for money, and for a purpose: we're responsible for this stuff. "Oh, I didn't lock down
/tmpbecause then I need a few more minutes when I update my software next year". Surely it'll not be just this one thing that stands between being blackmailed and just being fine. A great reason? I don't think so.How about this one:
Wait, WHAT?
There's other measures that require a lot more effort, experience and luck to secure a system, and knowing people have limited money, lifespans and also would like to spend time with their families: Don't skip the easy stuff.
There are applications that require /tmp to be executable to install. At a previous job, before I got there the admins had set up /tmp noexec, but I discovered that the db2 package wouldn't install. Even if you untar the db2 package somewhere else, the install procedure copies some files to /tmp and expects to be able to execute it, which of course failed with permission denied. If you aren't aware that the filesystem is mounted noexec, it might be a little misleading. It was only able to continue the install after I remounted /tmp without noexec.
Anyway, the point is that at least one commercial product requires /tmp to not be mounted noexec, and there might be others. I haven't found a really compelling reason for it. If you want better security, I would go with selinux instead.