tmp-nosuid

Makes sure /tmp is mounted with the 'nosuid' option.

Maintainer

Vratislav Podzimek

Module stats

Total Downloads: 19262
Updated: Jan 4, 2022

Installation version

Version
Released on Jan 4, 2022

Tags

Installation

                    
cfbs add tmp-nosuid
Description
Dependencies
Discussion

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

/tmp should be a separate mount point with a nosuid mount option that can be used to prevent execution of SUID programs in /tmp.

Variables

  • northerntech_security_hardening:tmp_nosuid.action: controls whether only warnings should be emitted ("warn") or actual changes to fix issues should be made ("fix")

Examples

Example of a cf-agent run on a host that doesn't have /tmp as a separate mount point:

[root@hub]# cf-agent -KI
R: WARNING: /tmp should be a separate mount point so that it can be mounted with the 'nosuid' option

Example of cf-agent run on a host that has /tmp mounted without the nosuid option without northerntech_security_hardening:tmp_nosuid.action set to "fix":

[root@hub]# cf-agent -KI
R: WARNING: /tmp should be mounted with 'nosuid' option

Example of cf-agent run on a host that has /tmp mounted without the nosuid option using a line in /etc/fstab with northerntech_security_hardening:tmp_nosuid.action set to "fix":

[root@hub]# cf-agent -KI
    info: Completed execution of '/bin/mount -o remount,rw,seclabel,relatime,nosuid /tmp/'
R: NOTICE: /tmp was successfully remounted with the 'nosuid' option
    info: Appended field sub-value 'nosuid' in '/etc/fstab'
    info: fields_edit promise '(?!#)\S+\s+/tmp\s.+' repaired
    info: Edited file '/etc/fstab'

Example of cf-agent run on a host that has /tmp mounted without the nosuid option using a system .mount unit with northerntech_security_hardening:tmp_nosuid.action set to "fix":

[root@hub]# cf-agent -KI
    info: Executing 'no timeout' ... '/bin/mount -o remount,rw,seclabel,nosuid /tmp/'
    info: Completed execution of '/bin/mount -o remount,rw,seclabel,nosuid /tmp/'
R: NOTICE: /tmp was successfully remounted with the 'nosuid' option
    info: Copied file '/usr/lib/systemd/system/tmp.mount' to '/etc/systemd/system/tmp.mount.cfnew' (mode '600')
    info: Moved '/etc/systemd/system/tmp.mount.cfnew' to '/etc/systemd/system/tmp.mount'
    info: Updated file '/etc/systemd/system/tmp.mount' from 'localhost:/usr/lib/systemd/system/tmp.mount'
    info: Deleted the promised line 1 'Options=mode=1777,strictatime' from /etc/systemd/system/tmp.mount
    info: delete_lines promise 'Options=.*' repaired
    info: Inserted the promised line 'Options=mode=1777,strictatime,nosuid' into '/etc/systemd/system/tmp.mount' after locator
    info: insert_lines promise 'Options=mode=1777,strictatime,nosuid' repaired
    info: Edited file '/etc/systemd/system/tmp.mount'
    info: Executing 'no timeout' ... '/usr/bin/systemctl daemon-reload'
    info: Completed execution of '/usr/bin/systemctl daemon-reload'

In case the remount fails for some reason, the following report is printed:

R: WARNING: Failed to remount /tmp with the 'nosuid' option. Make sure the option is added to the default mount options for /tmp and reboot the machine

Dependencies