Add support for per-user /tmp.

Enabled via per_user_tmp in /etc/rc.conf (default off). See security(8) and rc.conf(5) for more details. Lots of input from thorpej@ & christos@, thanks!
2007-02-04 08:19:26 +00:00 · 2007-02-04 08:19:26 +00:00 · 5e2e282f9c
parent 3044852cc5
commit 5e2e282f9c
9 changed files with 148 additions and 14 deletions
--- a/distrib/sets/lists/etc/mi
+++ b/distrib/sets/lists/etc/mi
@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.184 2006/11/12 03:02:50 christos Exp $
+# $NetBSD: mi,v 1.185 2007/02/04 08:19:26 elad Exp $
 #
 # Note: end-user configuration files that are moved to another location
 #	should not be marked "obsolete"; they should just be removed from
@ -206,6 +206,7 @@
 ./etc/rc.d/nfslocking				etc-nfsserver-rc
 ./etc/rc.d/ntpd					etc-ntp-rc
 ./etc/rc.d/ntpdate				etc-ntp-rc
+./etc/rc.d/perusertmp				etc-sys-rc
 ./etc/rc.d/pf					etc-net-rc
 ./etc/rc.d/pf_boot				etc-net-rc
 ./etc/rc.d/pflogd				etc-net-rc
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -1,4 +1,4 @@
-#	$NetBSD: rc.conf,v 1.82 2006/12/30 11:06:04 elad Exp $
+#	$NetBSD: rc.conf,v 1.83 2007/02/04 08:19:26 elad Exp $
 #
 # /etc/defaults/rc.conf --
 #	default configuration of /etc/rc.conf
@ -103,6 +103,8 @@ lkm=NO			# Run /etc/rc.lkm.  /usr needs to be part of /, or

 savecore=YES		savecore_flags="-z"
 			savecore_dir="/var/crash"
+per_user_tmp=NO					# per-user /tmp directories
+per_user_tmp_dir="/private/tmp"			# real storage for /tmp
 clear_tmp=YES					# clear /tmp after reboot
 update_motd=YES					# updates /etc/motd
 dmesg=YES		dmesg_flags=""		# write /var/run/dmesg.boot
--- a/etc/mtree/special
+++ b/etc/mtree/special
@ -1,4 +1,4 @@
-#	$NetBSD: special,v 1.108 2006/12/14 02:28:30 reed Exp $
+#	$NetBSD: special,v 1.109 2007/02/04 08:19:26 elad Exp $
 #	@(#)special	8.2 (Berkeley) 1/23/94
 #
 # This file may be overwritten on upgrades.
@ -222,6 +222,7 @@
 ./etc/rc.d/nfslocking		type=file mode=0555
 ./etc/rc.d/ntpd			type=file mode=0555
 ./etc/rc.d/ntpdate		type=file mode=0555
+./etc/rc.d/perusertmp		type=file mode=0555
 ./etc/rc.d/pf			type=file mode=0555
 ./etc/rc.d/pf_boot		type=file mode=0555
 ./etc/rc.d/pflogd		type=file mode=0555
@ -311,6 +312,9 @@
 ./etc/racoon/racoon.conf	type=file mode=0644 optional
 ./etc/racoon/psk.txt		type=file mode=0600 optional tags=nodiff

+./private			type=dir mode=0755 optional
+./private/tmp			type=dir mode=0111 optional ignore
+
 ./root				type=dir  mode=0755
 ./root/.cshrc			type=file mode=0644
 ./root/.klogin			type=file mode=0600 optional
--- a/etc/rc.d/cleartmp
+++ b/etc/rc.d/cleartmp
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: cleartmp,v 1.7 2006/10/07 23:08:03 elad Exp $
+# $NetBSD: cleartmp,v 1.8 2007/02/04 08:19:26 elad Exp $
 #

 # PROVIDE: cleartmp
@ -16,13 +16,19 @@ stop_cmd=":"

 cleartmp_start()
 {
-	echo "Clearing /tmp."
+	echo "Clearing temporary files."
 	#
 	#	Prune quickly with one rm, then use find to clean up
 	#	/tmp/[lq]* (this is not needed with mfs /tmp, but
 	#	doesn't hurt anything).
 	#
-	(cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
+	if [ \( X"${per_user_tmp}" = X"YES" \) -a \( -d ${per_user_tmp_dir} \) ]; then
+		tmp_dir=${per_user_tmp_dir}
+	else
+		tmp_dir="/tmp"
+	fi
+
+	(cd ${tmp_dir} && rm -rf [a-km-pr-zA-Z]* &&
 	    find -x . ! -name . ! -name lost+found ! -name quota.user \
 		! -name quota.group -exec rm -rf -- {} \; -type d -prune)
 }
--- a/etc/rc.d/perusertmp
+++ b/etc/rc.d/perusertmp
@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# $NetBSD: perusertmp,v 1.1 2007/02/04 08:19:26 elad Exp $
+#
+
+# PROVIDE: perusertmp
+# REQUIRE: mountall
+# BEFORE:  cleartmp
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="perusertmp"
+rcvar="per_user_tmp"
+start_cmd="perusertmp_start"
+stop_cmd=":"
+
+perusertmp_start()
+{
+	echo "Preparing per-user /tmp."
+
+	# If /tmp is a mount point, we can't do anything.
+	if [ -d "/tmp" ]; then
+		local mount_point
+
+		mount_point=$(cd /tmp && /bin/df . | /usr/bin/tail -1 | /usr/bin/awk '{print $6}')
+		if [ X"${mount_point}" = X"/tmp" ]; then
+			echo "WARNING: /tmp is mounted."
+			exit 1
+		fi
+	fi
+
+	# Enable magic symlinks.
+	/sbin/sysctl -qw vfs.generic.magiclinks=1
+
+	# Fixup real temporary directory.
+	if [ ! -d ${per_user_tmp_dir} ]; then
+		/bin/mkdir ${per_user_tmp_dir}
+	fi
+	/usr/sbin/chown root:wheel ${per_user_tmp_dir}
+	/bin/chmod 0111 ${per_user_tmp_dir}
+
+	# Create magic link for /tmp.
+	/bin/rm -rf /tmp
+	/bin/ln -s ${per_user_tmp_dir}/@uid /tmp
+}
+
+load_rc_config $name
+run_rc_command "$1"
--- a/lib/libutil/login_cap.c
+++ b/lib/libutil/login_cap.c
@ -1,4 +1,4 @@
-/*	$NetBSD: login_cap.c,v 1.26 2006/12/20 16:47:13 christos Exp $	*/
+/*	$NetBSD: login_cap.c,v 1.27 2007/02/04 08:19:26 elad Exp $	*/

 /*-
 * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
@ -36,13 +36,14 @@

 #include <sys/cdefs.h>
 #if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: login_cap.c,v 1.26 2006/12/20 16:47:13 christos Exp $");
+__RCSID("$NetBSD: login_cap.c,v 1.27 2007/02/04 08:19:26 elad Exp $");
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/resource.h>
+#include <sys/param.h>

 #include <assert.h>
 #include <ctype.h>
@ -557,6 +558,7 @@ setclasscontext(const char *class, u_int flags)
 int
 setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t uid, u_int flags)
 {
+	char per_user_tmp[MAXPATHLEN + 1];
 	login_cap_t *flc;
 	quad_t p;
 	int i;
@ -606,6 +608,33 @@ setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t uid, u_int flags)
 		}
 	}

+	/* Create per-user temporary directories if needed. */
+	if (readlink("/tmp", per_user_tmp, sizeof(per_user_tmp)) != -1) {
+		static const char atuid[] = "/@uid";
+		char *lp;
+
+		/* Check if it's magic symlink. */
+		lp = strstr(per_user_tmp, atuid);
+		if (lp != NULL && *(lp + (sizeof(atuid) - 1)) == '\0') {
+			lp++;
+
+			if ((sizeof(per_user_tmp) - (lp - per_user_tmp)) < 64) {
+				syslog(LOG_ERR, "real temporary path too long");
+				login_close(flc);
+				return (-1);
+			}
+			(void)sprintf(lp, "/%u", pwd->pw_uid); /* safe */
+			if (mkdir(per_user_tmp, S_IRWXU) != -1) {
+				(void)chown(per_user_tmp, pwd->pw_uid,
+				    pwd->pw_gid);
+			} else {
+				syslog(LOG_ERR, "can't create `%s' directory",
+				    per_user_tmp);
+			}
+		}
+	}
+	errno = 0;
+
 	if (flags & LOGIN_SETLOGIN)
 		if (setlogin(pwd->pw_name) < 0) {
 			syslog(LOG_ERR, "setlogin(%s) failure: %m",
--- a/lib/libutil/shlib_version
+++ b/lib/libutil/shlib_version
@ -1,5 +1,5 @@
-#	$NetBSD: shlib_version,v 1.42 2006/12/14 20:09:36 he Exp $
+#	$NetBSD: shlib_version,v 1.43 2007/02/04 08:19:26 elad Exp $
 #	Remember to update distrib/sets/lists/base/shl.* when changing
 #
 major=7
-minor=12
+minor=13
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -1,4 +1,4 @@
-.\"	$NetBSD: rc.conf.5,v 1.111 2006/12/23 09:12:35 wiz Exp $
+.\"	$NetBSD: rc.conf.5,v 1.112 2007/02/04 08:19:26 elad Exp $
 .\"
 .\" Copyright (c) 1996 Matthew R. Green
 .\" Copyright (c) 1997 Curt J. Sampson
@ -32,7 +32,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 4, 2006
+.Dd February 4, 2007
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@ -313,6 +313,18 @@ to trim logfiles before syslogd starts.
 Intended for laptop users.
 Passes
 .Sy newsyslog_flags .
+.It Sy per_user_tmp
+.Sq YES
+or
+.Sq NO .
+Enables a per-user
+.Pa /tmp
+directory.
+.Sy per_user_tmp_dir
+can be used to override the default location of the
+.Dq real
+temporary directories,
+.Dq Pa /private/tmp .
 .It Sy savecore
 .Sq YES
 or
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@ -1,4 +1,4 @@
-.\" $NetBSD: security.8,v 1.13 2007/02/02 02:42:00 elad Exp $
+.\" $NetBSD: security.8,v 1.14 2007/02/04 08:19:26 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 2, 2007
+.Dd February 4, 2007
 .Dt SECURITY 8
 .Os
 .Sh NAME
@ -46,6 +46,10 @@ Veriexec (file integrity)
 .It
 Exploit mitigation
 .It
+Per-user
+.Pa /tmp
+directory
+.It
 Information filtering
 .El
 .Sh VERIEXEC
@ -297,6 +301,34 @@ Use of
 is especially encouraged on platforms without per-page execute bit granularity
 such as
 .Em i386 .
+.Sh PER-USER TEMPORARY STORAGE
+It is possible to configure per-user temporary storage to avoid potential
+security issues (race conditions, etc.) in programs that do not make secure
+usage of
+.Pa /tmp .
+.Pp
+To enable per-user temporary storage, add the following line to
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+per_user_tmp=YES
+.Ed
+.Pp
+If
+.Pa /tmp
+is a mount point, you will also need to update its
+.Xr fstab 5
+entry to use
+.Dq /private/tmp
+(or whatever directory you want, if you override the default using the
+.Dq per_user_tmp_dir
+.Xr rc.conf 5
+keyword) instead of
+.Dq /tmp .
+.Pp
+Following that, run:
+.Bd -literal -offset indent
+# /etc/rc.d/perusertmp start
+.Ed
 .Sh INFORMATION FILTERING
 .Nx
 provides administrators the ability to restrict information passed from