Categories
Internet, Unix en security

A /tmp for every user

With the transition towards /run some temporary files will move towards /run/user/, but enough files remain in /tmp. Files that may leak information or be a point of code injection as shown with CVE-2012-3355. A first step is to create a temporary directory for every user when he or she logs in to restrict the exposure of temporary files.

After installing the right module for PAM and enabling it, every user that logs in will get its own directory for temporary files. In this case, based on the user’s ID-number, but still only accessible for the user themself.

$ sudo apt-get install libpam-tmpdir
$ sudo pam-auth-update --package tmpdir
$ ls -l /tmp
totaal 0
drwx--x--x 4 root       root       80 jun 24 22:01 user
$ sudo ls -l /tmp/user
totaal 0
drwx------ 2 root    root     40 jun 24 22:00 0
drwx------ 2 user1   users    40 jun 24 22:06 1000
drwx------ 2 user2   users    40 jun 24 22:03 1001

Files and directories that still remain in /tmp after this may ask for additional attention as the path to /tmp appears to be hardcoded. A small bug report may be in order to just move away from hardcoded paths as in most cases they also indicate a hardcoded file for all users on the system.

Categories
Internet, Unix en security

A goodbye to Java

In the past I already removed Flash and Mono from my systems due to security concerns, but since CVE-2011-3544 it was the final call for Java. It took some dependency checking as Debian was replacing OpenJDK with GCJ or vice versa in most cases, but the command below finished that on a lot of systems. I said farewell to NetBeans a long time ago since it was to slow on my system and the only thing left was LibreOffice Base that needed to be removed as well.

$ sudo apt-get remove --purge libgcj12 libgcj-common gcj-4.6-jre-headless \
    libgcj12-awt default-jre-headless

This action also made me wonder about the state of LibreOffice as it is mainly a big blob of code on the system like Firefox is as well btw. I read on there website somewhere that making Java an option is a long term goal, but will it be enough? For now it should be, as I prefer my documents in OpenDocument-format. When the next GTK3 based version of Abiword and Gnumeric are released I need to do some testing again to see if they support OpenDocument now better.