Wednesday, July 14, 2010

Getting around 'noexec' issues with /tmp

SkyHi @ Wednesday, July 14, 2010
Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. As a security precaution, /tmp is mounted with noexec. This is a good thing and should generally stay this way. There are some circumstances where you may need to have /tmp executable.

(dv) Dedicated Virtual Servers

You can remount /tmp to make it executable by issuing the following command:
mount -o remount,exec /tmp
Once you're done, it's good practice to set /tmp back to noexec:
mount -o remount,noexec /tmp

(ve) servers

The process is a bit different for the (ve) Server. Depending on what function you're using /tmp, you have a few options to bypass this restriction. To get around this issue when using apt-get/aptitude, you can run the following one-liner to use /var/local/tmp instead of /tmp:
echo "APT::ExtractTemplates::TempDir \"/var/local/tmp\";" | tee /etc/apt/apt.conf.d/50extracttemplates && mkdir /var/local/tmp/
Another issue might occur if you attempt to install PECL extensions. To set up a new temporary directory where the extensions are compiled, issue the following commands:
mkdir -p ~/tmp/pear/cache
mkdir -p ~/tmp/pear/temp
pear config-set download_dir ~/tmp/pear/cache
pear config-set temp_dir ~/tmp/pear/temp
If you're simply running ./configure to compile something, most Linux utilities will honor the TMPDIR option. TMPDIR is the canonical Unix environment variable that points to user scratch space. This will denote the scratch area for temporary files instead of the common default of /tmp. Other forms sometimes accepted are TEMP, TEMPDIR, and TMP but these are used more commonly by non-POSIX operating systems.
Another option is to simply umount /tmp or /var/tmp:
umount /tmp; umount /var/tmp
Keep in mind that if you reboot your (ve) after you've done this, /tmp and /var/tmp will return to 'noexec'.
Finally, if you're still having trouble, you can bind /tmp to another directory with executable permissions:
mkdir ~/tmp
mount --bind ~/tmp /tmp
When you're finished up, umount the new ~/tmp directory:
umount /tmp

Chrooted /tmp directory

This is a new method that should work for both the (ve) and (dv) product lines, and ensure that no processes currently accessing /tmp are interrupted in any way. This also ensures that your /tmp that allows execution is never accessible to currently running processes. This limits your exposure to possible exploits.
First, create a chrooted environment that contains a tmp directory that allows file execution:
root@ve01:~# mkdir -p /root/chroot /root/tmp
root@ve01:~# mount --bind / /root/chroot
root@ve01:~# mount --bind /root/tmp /root/chroot/tmp
Next chroot into the environment you created.
root@ve01:~# chroot /root/chroot
At this point, you are in the chrooted environment and can run any commands you need to. When you are done, simply type the command 'exit'.
root@ve01:/# exit
Now you are back to your normal environment.