What are correct permissions for /tmp ? I unintentionally set it all public recursively

The normal settings for /tmp are 1777, which ls shows as drwxrwxrwt. That is: wide open, except that only the owner of a file can remove it (that's what this extra t bit means for a directory).

The problem with a /tmp with mode 777 is that another user could remove a file that you've created and substitute the content of their choice.

If your /tmp is a tmpfs filesystem, a reboot will restore everything. Otherwise, run chmod 1777 /tmp.

Additionally, a lot of files in /tmp need to be private. However, at least one directory critically needs to be world-readable: /tmp/.X11-unix, and possibly some other similar directories (/tmp/.XIM-unix, etc.). The following command should mostly set things right:

chmod 1777 /tmp
find /tmp -mindepth 1 -name '.*-unix' -exec chmod 1777 {} + -prune -o -exec chmod go-rwx {} +

I.e. make all files and directories private (remove all permissions for group and other), but make the X11 sockets accessible to all. Access control on these sockets is enforced by the server, not by the file permissions. There may be other sockets that need to be publicly available. Run find /tmp -type s -user 0 to discover root-owned sockets which you may need to make world-accessible. There may be sockets owned by other system users as well (e.g. to communicate with a system bus); explore with find /tmp -type s ! -user $UID (where $UID is your user ID).


/tmp and /var/tmp should have read, write and execute rights for all; but you'd usually would also add the sticky-bit (o+t), to prevent users from removing files/directories belonging to other users. So chmod a=rwx,o+t /tmp should work.

As for changing permissions recursively... As long as the owner/group remains as it is for the files and directories, it shouldn't be that much of a problem. But you could perhaps change the permission of everything under /tmp (not /tmp itself) to ensure users' privacy, by removing the rx rights of others and perhaps the group.

Find is a good way of doing this. As root, do:

cd /tmp
find . -type f -exec chmod u=rw,go= {} \;   # (or u=rw,g=r,o= {})
find . -type d -exec chmod u=rwx,go= {} \;  # (or u=rwx,g=rx,o= {})

[root@Niflheim tmp]# ls -alF .
total 1632
drwxrwxrwt 15 root root    4096 Apr  7 04:24 ./
drwxr-xr-x 28 root root    4096 Apr  2 21:02 ../
[root@Niflheim tmp]# stat -c '%A %a %n' .
drwxrwxrwt 1777 .

From a CentOS 5.9 machine.