# how big is your /tmp?

## Messiah

Today, I discovered that one of our servers @ work has been hacked. I discovered a root-shell-script in /tmp, grouped by apache (and suid root). Any user that runs that script will become root, no password needed. And I discovered another executable, namely a backdoor. It did run on port 56655 and given the password for the app, one could give root-commands. Reading thru the security guide I discovered that this problem probably didn't occur if I only had /tmp on another partition, and mounted with the options noexec and nosuid.

So a question arises...how big does this partition need to be? And, is it a good idea to use a file instead of a partition, and mount that file as /tmp (loopback)? (The last option is the easiest to implement, and easier to maintain, but slower, but is the performance enough?)

Thanks in advance.

[edit: I forgot to mention how big the hd is, let's suppose we are talking about a hd with a capacity of 20 GB]

[edit: May I ask you people to reply the output of:

du -Hs /tmp]

[edit: changed title to how big is your /tmp?]

----------

## fyerk

I would say 512MB should be plenty. This assumes that /tmp replaces /var/tmp which Portage uses. On my box, /var/tmp uses 250MB so far (it's in the middle of an emerge -u world) and /tmp uses about 5 MB.

----------

## pjp

I thought portage could use more than that during compiles?

----------

## fyerk

Well, I guess it can depending on what you're building. From personal experience, mine has never exceeded 512 MB, even during an "emerge -u world"

----------

## rojaro

depends ... i use tmpfs with a limit of 1gb (swap is 1.5gb and real memory is 512mb) ... also see Daniel Robbins excellent Post here about that topic

----------

## meyerm

It's perhaps not perfect, but I'm currently experimenting with a new system with a "/"-partition (1,5G), mounted read-only and a "/var"-partition (2G), mounted noexec. /home and /tmp are symlinked into /var/home and /var/tmp. Well, perhaps it will work... and perhaps it will be more secure... *g*

----------

## Messiah

I do not want to get /var/tmp into /tmp. It is just separate, /tmp is used by apache, /var/tmp not. Or am I confused here? Would it be wise to make a symlink from /tmp to /var/tmp or otherwise?

----------

## meyerm

Well, perhaps I'm wrong. But temp is temp. They both have the same access rights. So I can delete /tmp and make a symlink /tmp -> /var/tmp und then remount / ro. Only /var is mounted rw - and this partition doesn't need any executable rights.

----------

## huhmz

But Apache doesn't run as root so how did the intruder aquire root? shouldnt the apache exploit just yield a nobody.nouser shell?

----------

## proxy

once you compromise a system even with just getting user nobody or some other unpriviledges user, it is relativly simple to run an priviledge escalation exploit....best security is to assume they can ALWAYS get root..

proxy

----------

## huhmz

yes yes but i wanted to know what that privielige escaltion exploit was so i could patch against it.

----------

## Messiah

I still dunnow how this person (?) has done it. Maybe it was something wrong with linuxconf (to clarify and help you out, this box was no gentoo but mdk, and there has been some issue with linuxconf being installed suid root, so that may be the problem). Maybe it was something else. Fact is, I can no more trust that system. And while I am at it, I will install Gentoo on it, like I already did with 2 other servers, and I am *really* liking Gentoo on my servers. Soon we will upgrade all our servers (currently 9, 2 more coming) to Gentoo!

----------

