[ubuntu-hardened] Polyinstantiate /tmp, /var/tmp and user home folders.
daniel curtis
sidetripping at gmail.com
Sun Feb 21 16:07:07 UTC 2016
Hello.
Today I would like to ask a question about Polyinstantiate and PAM to
improve system security. Polyinstantiation of some world-writable
directories (e.g. /tmp, /var/tmp) could prevent multiple type of attacks,
such as: attacks by one user on another user, attacks by a user on a daemon
or attacks by a non-root daemon on a user to name a few.
Using this type of protection is pretty simple. To enable this feature user
have to edit '/etc/security/namespace.conf' file, uncomment at least three
lines and add one entry to the '/etc/pam.d/login' file. Of course
'/tmp-inst/' and '/var/tmp/tmp-inst/' directories must be created e.g. via
'mkdir' command.
There are an interesting articles/descriptions about Polyinstantiation of
directories (please note, despite title, that this feature also provides
benefits for non-SE Linux systems):
http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
(Especially see: "Other Solutions", "Non-SE Linux Requirements for Shared
Directories"). There are two more interesting articles. One from Fedora
Linux[1] and second from an IBM[2].
According to all above, I would like to know your opinions about this
security feature. It is worth to implement etc.? What do you think about
this?
Best regards.
_____________
[1] https://fedoraproject.org/wiki/Security_Features_Matrix (see
"Polyinstantiate /tmp, /var/tmp and user home folders")
[2] https://www.ibm.com/developerworks/library/l-polyinstantiation/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160221/7abcffe4/attachment.html>
More information about the ubuntu-hardened
mailing list