I have created a really really short life temporary directory that I wanted to share between some users for a few hours : /some/path/tmp
Unfortunately I have launched sudo chown 777 -R /tmp instead of sudo chown 777 -R tmp, so my /tmp file is now completely public.
Is it a security concern now that it is completely set to public? Should I change it back to more secure settings? What are the correct permissions for /tmp?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
The normal settings for /tmp are 1777, which ls shows as drwxrwxrwt. That is: wide open, except that only the owner of a file can remove it (that’s what this extra t bit means for a directory).
The problem with a /tmp with mode 777 is that another user could remove a file that you’ve created and substitute the content of their choice.
If your /tmp is a tmpfs filesystem, a reboot will restore everything. Otherwise, run chmod 1777 /tmp.
Additionally, a lot of files in /tmp need to be private. However, at least one directory critically needs to be world-readable: /tmp/.X11-unix, and possibly some other similar directories (/tmp/.XIM-unix, etc.). The following command should mostly set things right:
chmod 1777 /tmp
find /tmp -mindepth 1 -name '.*-unix' -exec chmod 1777 {} + -prune -o -exec chmod go-rwx {} +
I.e. make all files and directories private (remove all permissions for group and other), but make the X11 sockets accessible to all. Access control on these sockets is enforced by the server, not by the file permissions. There may be other sockets that need to be publicly available. Run find /tmp -type s -user 0 to discover root-owned sockets which you may need to make world-accessible. There may be sockets owned by other system users as well (e.g. to communicate with a system bus); explore with find /tmp -type s ! -user $UID (where $UID is your user ID).
Method 2
/tmp and /var/tmp should have read, write and execute rights for all; but you’d usually would also add the sticky-bit (o+t), to prevent users from removing files/directories belonging to other users. So chmod a=rwx,o+t /tmp should work.
As for changing permissions recursively… As long as the owner/group remains as it is for the files and directories, it shouldn’t be that much of a problem. But you could perhaps change the permission of everything under /tmp (not /tmp itself) to ensure users’ privacy, by removing the rx rights of others and perhaps the group.
Find is a good way of doing this. As root, do:
cd /tmp
find . -type f -exec chmod u=rw,go= {} ; # (or u=rw,g=r,o= {})
find . -type d -exec chmod u=rwx,go= {} ; # (or u=rwx,g=rx,o= {})
Method 3
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="63110c0c17232d0a050f0b060a0e">[email protected]</a> tmp]# ls -alF . total 1632 drwxrwxrwt 15 root root 4096 Apr 7 04:24 ./ drwxr-xr-x 28 root root 4096 Apr 2 21:02 ../ [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b8cad7d7ccf8f6d1ded4d0ddd1d5">[email protected]</a> tmp]# stat -c '%A %a %n' . drwxrwxrwt 1777 .
From a CentOS 5.9 machine.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0