SecureTmp
NOTE: This page is part of the Ubuntu Specification process. Please check the status and details in Launchpad before editing. If the spec is Approved then you should contact the Assignee, or another knowledgeable person, before making changes.
Launchpad entry: https://features.launchpad.net/distros/ubuntu/+spec/secure-tmp
Packages affected:
Summary
This specification aims to move Ubuntu to a secure /tmp directory format, where the pam_tmpdir module is used.
Rationale
The /tmp folder is often the subject of race conditions; mitigation techniques exist for this, such as pam_tmpdir.
Use cases
This is general security; but for the sake of argument we will list several.
Bob uses Firefox to open a file; the file is placed in /tmp/bob/ so the file name (sexy_anime_catgirl_wallpaper.zip) is not leaked to other users who may find the same image via Google.
cups has a race condition. The file is created in $TMPDIR and thus attack is only possible by other processes with the permissions of cups already, and thus not practically useful.
Scope
The scope is all existing and new Ubuntu installations.
Some programs may not function properly with pam_tmpdir or may not use $TMPDIR properly; these must be fixed.
Design
pam_tmpdir will be enabled for all login sessions.
Implementation
The /etc/pam.d/common-session file should have the following line below pam_unix.so:
session optional pam_tmpdir.so
Note that using required instead of optional will cause failures if /tmp/USER cannot be created; if another user creates /tmp/USER, this can occur, creating a DoS attack.
Code
Some programs will have to be modified to use $TMPDIR properly.
Unresolved issues
BoF agenda and discussion
As we said, some programs may not behave appropriately with pam_tmpdir. This should be implemented early in Edgy+1 so that we hit all the problems in the base install BEFORE release. There should be very few. --JohnMoser
SecureTmp (last edited 2008-08-06 16:24:23 by localhost)