How useful is mounting /tmp noexec?
Solution 1:
Here are the arguments for utility I've come up with so far:
Modern kernels fix the /lib/ld-linux.so
hole, so that it won't be able to map executable pages from a noexec
filesystem.
The interpreters point is certainly still a concern, though I think less of one than people might claim. The reasoning I can come up with is that there have been numerous privilege escalation vulnerabilities that relied on making particular malformed syscalls. Without an attacker providing a binary, it would be much harder to make evil syscalls. Also, script interpreters should be unprivileged (I know this has historically sometimes not been the case, such as with an suid perl), and so would need their own vulnerability to be useful in an attack. Apparently, it is possible to use Python, at least, to run some exploits.
Many 'canned' exploits may try to write and run executables in /tmp
, and so noexec
reduces the probability of falling to a scripted attack (say in the window between vulnerability disclosure and patch installation).
Thus, there's still a security benefit to mounting /tmp
with noexec
.
As described in Debian's bug tracker, setting APT::ExtractTemplates::TempDir
in apt.conf
to a directory that is not noexec
and accessible to root would obviate the debconf concern.
Solution 2:
Many Debian packages require /tmp to be executable in order for the package to install. These are often marked as bugs (of 'normal'/'wishlist' severity):
https://www.google.com/#q=site:bugs.debian.org+noexec+/tmp
I received just this error while installing an updated kernel to the stable branch just today.
So it looks like Debian (& derivatives?) is not ready for /tmp to be mounted noexec...
Solution 3:
add the following to /etc/apt.conf, or, /etc/apt/apt.conf.d/50remount
DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
Solution 4:
Even though workarounds exist for most supplementary security measures you might choose to implement, even the most easily circumvented security measures (such as mounting /tmp noexec or running SSH on an alternate port) will thwart automated or scripted attacks that rely on the defaults in order to function. It won't protect you against a determined and knowledgeable attacker, but well over 99% of the time, you won't be up against a determined or knowledgeable attacker. Instead, you'll be defending yourself against an automated attack script.
Solution 5:
First:
It covers many, different attack cases. Turning it off because there was a few known ways around it (some of which even fixed) is weird. Attackers downloading code to /dev/shm
or /tmp
is a common thing they do.
Defense in depth is about securing most common waypoints, each that stops them makes your system more survivable. Not safe. But it'll also have a chance. If they can't fetch their secondary payload, that is a pretty good chance you're getting.
- It might also be stopped by iptables user restrictions.
- It might also be stopped by SELinux.
- It might also not be stopped due to an easily accessed other exploit.
The point is to make it as hard as you easily can, and cut out 99% of the attacks.
Second:
It stops bad practice (running stuff from temp, doing major application installs via /tmp
instead of a user tmpdir), leaving data in /tmp
.
Custom installers usually do understand TMPDIR
Also: even if not: installation time, as a point-in-time action, is not a valid reason to turn off a security issue permanently.
Third:
Considering anonymous namespaces in /tmp
(a "feature"), you really want to restrict what's put there and run from there.
Fourth:
Convenience is not a relevant factor in this.
Assuming we run servers for money, and for a purpose: we're responsible for this stuff. "Oh, I didn't lock down /tmp
because then I need a few more minutes when I update my software next year".
Surely it'll not be just this one thing that stands between being blackmailed and just being fine.
A great reason? I don't think so.
How about this one:
"We learned that enemies can attack without notice. They could also use hundreds of spies to poison the food. So we stopped handing out guns to our soldiers."
Wait, WHAT?
There's other measures that require a lot more effort, experience and luck to secure a system, and knowing people have limited money, lifespans and also would like to spend time with their families: Don't skip the easy stuff.