[ubuntu-hardened] Polyinstantiate /tmp, /var/tmp and user home folders.
sidetripping at gmail.com
Sun Feb 21 16:07:07 UTC 2016
Today I would like to ask a question about Polyinstantiate and PAM to
improve system security. Polyinstantiation of some world-writable
directories (e.g. /tmp, /var/tmp) could prevent multiple type of attacks,
such as: attacks by one user on another user, attacks by a user on a daemon
or attacks by a non-root daemon on a user to name a few.
Using this type of protection is pretty simple. To enable this feature user
have to edit '/etc/security/namespace.conf' file, uncomment at least three
lines and add one entry to the '/etc/pam.d/login' file. Of course
'/tmp-inst/' and '/var/tmp/tmp-inst/' directories must be created e.g. via
There are an interesting articles/descriptions about Polyinstantiation of
directories (please note, despite title, that this feature also provides
benefits for non-SE Linux systems):
(Especially see: "Other Solutions", "Non-SE Linux Requirements for Shared
Directories"). There are two more interesting articles. One from Fedora
Linux and second from an IBM.
According to all above, I would like to know your opinions about this
security feature. It is worth to implement etc.? What do you think about
 https://fedoraproject.org/wiki/Security_Features_Matrix (see
"Polyinstantiate /tmp, /var/tmp and user home folders")
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened