How useful is mounting /tmp noexec?

linux security mount tmp noexec

45,849

Solution 1

Here are the arguments for utility I've come up with so far:

Modern kernels fix the /lib/ld-linux.so hole, so that it won't be able to map executable pages from a noexec filesystem.

The interpreters point is certainly still a concern, though I think less of one than people might claim. The reasoning I can come up with is that there have been numerous privilege escalation vulnerabilities that relied on making particular malformed syscalls. Without an attacker providing a binary, it would be much harder to make evil syscalls. Also, script interpreters should be unprivileged (I know this has historically sometimes not been the case, such as with an suid perl), and so would need their own vulnerability to be useful in an attack. Apparently, it is possible to use Python, at least, to run some exploits.

Many 'canned' exploits may try to write and run executables in /tmp, and so noexec reduces the probability of falling to a scripted attack (say in the window between vulnerability disclosure and patch installation).

Thus, there's still a security benefit to mounting /tmp with noexec.

As described in Debian's bug tracker, setting APT::ExtractTemplates::TempDir in apt.conf to a directory that is not noexec and accessible to root would obviate the debconf concern.

Solution 2

add the following to /etc/apt.conf, or, /etc/apt/apt.conf.d/50remount

DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

Solution 3

Many Debian packages require /tmp to be executable in order for the package to install. These are often marked as bugs (of 'normal'/'wishlist' severity):

https://www.google.com/#q=site:bugs.debian.org+noexec+/tmp

I received just this error while installing an updated kernel to the stable branch just today.

So it looks like Debian (& derivatives?) is not ready for /tmp to be mounted noexec...

Solution 4

Even though workarounds exist for most supplementary security measures you might choose to implement, even the most easily circumvented security measures (such as mounting /tmp noexec or running SSH on an alternate port) will thwart automated or scripted attacks that rely on the defaults in order to function. It won't protect you against a determined and knowledgeable attacker, but well over 99% of the time, you won't be up against a determined or knowledgeable attacker. Instead, you'll be defending yourself against an automated attack script.

Solution 5

First: It covers many, different attack cases. Turning it off because there was a few known ways around it (some of which even fixed) is weird. Attackers downloading code to /dev/shm or /tmp is a common thing they do.

Defense in depth is about securing most common waypoints, each that stops them makes your system more survivable. Not safe. But it'll also have a chance. If they can't fetch their secondary payload, that is a pretty good chance you're getting.

It might also be stopped by iptables user restrictions.
It might also be stopped by SELinux.
It might also not be stopped due to an easily accessed other exploit.

The point is to make it as hard as you easily can, and cut out 99% of the attacks.

Second: It stops bad practice (running stuff from temp, doing major application installs via /tmp instead of a user tmpdir), leaving data in /tmp. Custom installers usually do understand TMPDIR Also: even if not: installation time, as a point-in-time action, is not a valid reason to turn off a security issue permanently.

Third: Considering anonymous namespaces in /tmp (a "feature"), you really want to restrict what's put there and run from there.

Fourth: Convenience is not a relevant factor in this. Assuming we run servers for money, and for a purpose: we're responsible for this stuff. "Oh, I didn't lock down /tmp because then I need a few more minutes when I update my software next year". Surely it'll not be just this one thing that stands between being blackmailed and just being fine. A great reason? I don't think so.

How about this one:

"We learned that enemies can attack without notice. They could also use hundreds of spies to poison the food. So we stopped handing out guns to our soldiers."

Wait, WHAT?

There's other measures that require a lot more effort, experience and luck to secure a system, and knowing people have limited money, lifespans and also would like to spend time with their families: Don't skip the easy stuff.

View more solutions

45,849

uno

Contact me for help speeding up your technical computing applications, software development process training and guidance, and other sophisticated development needs. LinkedIn or email on that profile preferred.

Updated on September 17, 2022

Comments

uno over 1 year
Many people (including the Securing Debian Manual) recommend mounting /tmp with the noexec,nodev,nosuid set of options. This is generally presented as one element of a 'defense-in-depth' strategy, by preventing the escalation of an attack that lets someone write a file, or an attack by a user with a legitimate account but no other writable space.

Over time, however, I've encountered arguments (most prominently by Debian/Ubuntu Developer Colin Watson) that noexec is a useless measure, for a couple potential reasons:
1. The user can run /lib/ld-linux.so <binary> in an attempt to get the same effect.
2. The user can still run system-provided interpreters on scripts that can't be run directly
Given these arguments, the potential need for more configuration (e.g. debconf likes an executable temporary directory), and the potential loss of convenience, is this a worthwhile security measure? What other holes do you know of that enable circumvention?
- Admin over 11 years
  
  @neoice: I have heard that applications will occasionally break if /tmp is not executable. I've yet to actually see it happen though. Look at TuxGuitar-1.2 ... it happens. Will not start if /tmp isn't mounted without noexec option, because it unpacks libraries there and then tries to load them.
- Admin over 8 years
  
  VMware's Site Recovery Manager runs scripts from "/tmp": IP Customization fails during a failover or test failover of a recovery plan in vCenter Site Recovery Manager (2021083): kb.vmware.com/selfservice/microsites/…
- jorfus almost 7 years
  
  I know that the compression utility called snappy drops a .so file in /tmp and can't run if it's mounted noexec. (it's used by default in cassandra and kafka) IMHO this is a reason not to use snappy rather than a reason not to mount /tmp noexec
ISJ over 14 years

however, I have heard that applications will occasionally break if /tmp is not executable. I've yet to actually see it happen though.
uno over 14 years

As noted in the manual linked in the question, it does mess with Debconf package pre-configuration without setting up an alternative.
Lekensteyn over 13 years

I've replaced mount by /bin/mount in case PATH gets modified. You'll never know.
equaeghe over 12 years

I guess it is uncommon, but packages that are written to execute something from /tmp outside of a package installation context do exist (e.g., the current version of the middleware for using the Belgian Electronic Identity Cards).
uno over 12 years

equaeghe: What package is that? It should probably be reported as a bug. I'm willing to bet there's a security vulnerability to be found in how it's using that, too.
Mala over 11 years

It's also a problem with android sdk stuff. Trying to run the graphical android sdk updater will result in Exception in thread "main" java.lang.UnsatisfiedLinkError: no swt-gtk-3550 or swt-gtk in swt.library.path, java.library.path or the jar file errors unless /tmp is executable
Sean Allred almost 11 years

@neoice It is worth it to mention that installing PostgreSQL 9.1.4 will break if this is so.
Ekevoo over 10 years

@neoice Oracle Enterprise Manager Agent deployer breaks when /tmp is noexec.
phylae over 10 years

Installing nVidia CUDA 5.0 on Ubuntu 12.04 failed when /tmp was mounted with noexec.
Gert van den Berg almost 7 years

An analysis of an exploit for the Samba vulnerability, which would be stopped by a noexec /tmp: bobao.360.cn/learning/detail/4168.html (Chrome's Google translate recommended. It would break the initial exploit, as well as a big part of the payload...) (You can break many common automatic exploits that way....). mount -o remount,exec /tmp works when you need to install stuff... (Yes, it is trivial to work around, but many attackers don't seem to bother...)
Eiver over 3 years

docker-compose fails when /tmp is mounted with noexec
Trevor Boyd Smith over 3 years

i've been doing lots of python development and here's a list of pip packages that failed to install because /tmp is mounted with noexec: scikit-learn, matplotlib==1.3.0, PyQt4, wxpython. so now i need to do development on a different machine because I can't pip install what is needed on this machine.
user2968902 about 3 years

Coq also breaks with noexec /tmp: github.com/coq/coq/issues/14215.
Admin almost 2 years

Just because certain software like postgres and oracle EMA fail doesn't mean you should remove noexec from /etc/fstab. If your (eg. regulated) env is properly secure, there may not be much to do but hope you can build from source and update it, or bang your head against a brick wall for a couple of weeks.