mount /tmp /var/tmp /dev/shm with nodev nosuid

[adrelanos]

These folders

• /tmp
• /var/tmp
• /dev/shm

are user writable.

Similar to

• Mount /rw and /home with nosuid + nodev #5263
• Disable suid in /rw tasket/Qubes-VM-hardening#41

Quote Joanna (founder of Qubes OS):

I've been recently talking about this with Solar Designer of Openwall (a person who probably knows more about Linux security model than most of us together)

Quote solar:

Ideally, there should be no SUID binaries reachable from the user account, as otherwise significant extra attack surface inside the VM is exposed (dynamic linker, libc startup, portions of Linux kernel including ELF loader, etc.)

Therefore I concluded:
SUID has to go away.
At least user (speak: possibly malware) created SUID should be prevented form being easily executed.

Getting rid of SUID binaries which are installed by default is worthwhile too but less trivial. Therefore out of scope for this ticket.

[marmarek]

nodev and nosuid in those paths are probably ok, but noexec for /tmp and /var/tmp will break things. I've seen multiple applications that create temporary scripts there (for example, post-installation tasks by anaconda are handled this way).

Additionally, on Debian, neither /tmp nor /var/tmp are separate mount points, so you can really remount them with different options than root fs (and you definitely don't want noexec on /). On Fedora, /tmp is a separate mount point, but not /var/tmp.

Anyway, noexec doesn't give you that much unless you do that in every user-writable location. And doing that in $HOME would significantly reduce functionality (no longer scripts in ~/bin or pip install --user, possibly also flatpak installed into home dir would break).

[adrelanos]

noexec: agreed.
(I have questions about noexec too.)
(Enabling noexec could be future work / opt-in.)

---

Additionally, on Debian, neither /tmp nor /var/tmp are separate mount points, so you can really remount them with different options than root fs

Can't we use bind mount? Anything speaking against that?

security-misc (#1885) runs /bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc (proc-hidepid.service. Functional. Seems stable.

We could use something like this...

sudo mount -o nosuid,nodev --bind /tmp /tmp

---

related forum discussion:
(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

[marmarek]

Can't we use bind mount?

No, bind mounts can't change change options.

[adrelanos]

If I look at sudo mount | grep /tmp I can see the new mount and changed mount options. Also if I use noexec on it, after doing this I can no longer use noexec. Seems functional.

[marmarek]

Are you sure you didn't have /tmp as a separate mount (partition or whatever) in the first place?
If it wasn't, it doesn't work at least here:

root@testvm:~# mount|grep ' /tmp'
root@testvm:~# mount -o nodev,nosuid --bind /tmp /tmp
root@testvm:~# mount|grep ' /tmp'
/dev/xvda3 on /tmp type ext4 (rw,noatime,discard)
root@testvm:~# mknod /tmp/xvda3 b 202 3
root@testvm:~# ls -l /tmp/xvda3
brw-rw-r-- 1 root root 202, 3 Sep 19 19:11 /tmp/xvda3
root@testvm:~# hexdump -C /tmp/xvda3|head
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  30 d1 09 00 fb 34 27 00  d9 f5 01 00 7c 7d 10 00  |0....4'.....|}..|
00000410  b6 79 06 00 00 00 00 00  02 00 00 00 02 00 00 00  |.y..............|
00000420  00 80 00 00 00 80 00 00  d0 1f 00 00 71 43 58 5d  |............qCX]|
00000430  70 43 58 5d 2d 00 ff ff  53 ef 01 00 01 00 00 00  |pCX]-...S.......|
00000440  fb 68 3e 5a 00 00 00 00  00 00 00 00 01 00 00 00  |.h>Z............|
00000450  00 00 00 00 0b 00 00 00  00 01 00 00 3c 00 00 00  |............<...|
00000460  c6 02 00 00 7b 00 00 00  a2 45 4f a1 ee eb 4b b5  |....{....EO...K.|
00000470  bc 25 0f 41 6d 28 b2 ae  00 00 00 00 00 00 00 00  |.%.Am(..........|

[adrelanos]

Marek Marczykowski-Górecki:

Are you sure you didn't have /tmp as a separate mount (partition or whatever) in the first place?

Yes. Using default Qubes /etc/fstab. Works for me. Debian 10 based DispVM. cat /etc/fstab | grep tmp tmpfs /dev/shm tmpfs defaults,size=1G 0 0 user@disp4901:~$ mount | grep /tmp user@disp4901:~$ sudo mount -o nosuid,nodev --bind /tmp /tmp user@disp4901:~$ mount | grep /tmp /dev/xvda3 on /tmp type ext4 (rw,nosuid,nodev,noatime,discard)

[adrelanos]

security-misc (#1885) now has a dracut module that makes maximum use of all the recommended mount hardening options. It works in Kicksecure and Non-Qubes-Whonix.

• https://github.com/Kicksecure/security-misc/tree/master/usr/lib/dracut/modules.d/20remount-secure
• https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure
• Secure Remounting Kicksecure/security-misc#128
• test Remount Secure in Qubes Kicksecure/security-misc#137

Not in the stable repository yet at time of writing.

Also opt-in.

Has various settings where to (not) enable the various mount options. Documented here:
https://www.kicksecure.com/wiki/Security-misc#Remount_Secure