by default tmpmfs_flags="-S" When in reality tmpmfs_flags="-S -o nosymfollow,nosuid" would be much safer Fix: tmpmfs_flags="-S -o nosymfollow,nosuid"
On 2005-05-11 17:38, Caitlen <aeonflux@aeonflux.no-ip.com> wrote: > by default > tmpmfs_flags="-S" > When in reality > tmpmfs_flags="-S -o nosymfollow,nosuid" > > would be much safer I don't think this is really a bug, but anyway. It would probably be safer to use: tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow" The ability to actually *use* whatever options are best for your system is exactly why I made the original change to rc.d/tmp, but I'm not sure if it would be good to enforce so strict permissions to everyone :-/
On May 12, 2005 09:59 am, Giorgos Keramidas wrote: > On 2005-05-11 17:38, Caitlen <aeonflux@aeonflux.no-ip.com> wrote: > > by default > > tmpmfs_flags="-S" > > When in reality > > tmpmfs_flags="-S -o nosymfollow,nosuid" > > > > would be much safer > > I don't think this is really a bug, but anyway. It would probably be > safer to use: > > tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow" > > The ability to actually *use* whatever options are best for your system > is exactly why I made the original change to rc.d/tmp, but I'm not sure > if it would be good to enforce so strict permissions to everyone :-/ Good point, but I do think a nosymfollow is a good default. There's really no reason to allow /tmp symlink race conditions to happen. SInce it's a memory fs, disabling atime doesn't really make a big difference. Anyways just a suggestion, I'll be definitely setting nosymfollow on my machine here.
On 2005-05-12 17:10, aeonflux <aeonflux@aeonflux.no-ip.com> wrote: >On May 12, 2005 09:59 am, Giorgos Keramidas wrote: >> On 2005-05-11 17:38, Caitlen <aeonflux@aeonflux.no-ip.com> wrote: >> > by default >> > tmpmfs_flags="-S" >> > When in reality >> > tmpmfs_flags="-S -o nosymfollow,nosuid" >> > >> > would be much safer >> >> I don't think this is really a bug, but anyway. It would probably be >> safer to use: >> >> tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow" >> >> The ability to actually *use* whatever options are best for your system >> is exactly why I made the original change to rc.d/tmp, but I'm not sure >> if it would be good to enforce so strict permissions to everyone :-/ > > Good point, but I do think a nosymfollow is a good default. There's really no > reason to allow /tmp symlink race conditions to happen. SInce it's a memory > fs, disabling atime doesn't really make a big difference. > > Anyways just a suggestion, I'll be definitely setting nosymfollow on my > machine here. I'm a bit worried about giving a false sense of "secure default setup", by having /tmp mounted as "nosymfollow". Users who are determined to attempt symlink race hacks may also set TMPDIR=/var/tmp or even TMPDIR=/home/smartass/tmp and try their luck there. Mounting both /tmp and /var as nosymfollow runs the risk of crippling everyone's use of the file systems without actually being a 100% bulletproof solution. - Giorgos
State Changed From-To: open->feedback The conclusion of the discussion was that changing tmpmfs defaults doesn't buy much security, but will break existing setups. This would violate POLA. Therefore I suggest this PR be closed.
Responsible Changed From-To: freebsd-bugs->yar Taking this...
State Changed From-To: feedback->closed The conclusion of the discussion was that changing tmpmfs defaults doesn't buy much security, but will break existing setups. That would violate POLA. Therefore this PR is being closed.