make symlink attacks and other /tmp based attacks harder or impossible using libpam-tmpdir

Patrick · June 29, 2019, 7:42pm

Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
https://your-domain.example.org/controls/CUST-0280/

So let’s install Debian -- Details of package libpam-tmpdir in buster by default?

automatic per-user temporary directories

Many programs use $TMPDIR for storing temporary files. Not all of them are good at securing the permissions of those files. libpam-tmpdir sets $TMPDIR and $TMP for PAM sessions and sets the permissions quite tight. This helps system security by having an extra layer of security, making such symlink attacks and other /tmp based attacks harder or impossible

madaidan · June 29, 2019, 9:14pm

I’m not entirely sure how that works or how it would help. Don’t most programs just use /tmp?

Doesn’t seem to install properly for me.

Patrick · June 30, 2019, 10:29am

Most programs use mktemp, I think, I hope? Or some sort of API around it? The are not supposed to have their own logic of creating a temp folder. That is supposed to be abstracted and secure.

As far as I understand libpam-tmpdir attempts to make this process more secure by adding per-user temp folder separation.

It sets environment variables TMP and TEMP to /tmp/user/<userid>. These will then be private temp folders.

Not sure that is really needed but might be since systemd also has an instance PrivateTmp=true?

Examples:

user:

mktemp

/tmp/user/1000/tmp.16V0NDw304

root:

mktemp

/tmp/user/0/tmp.SWfIATj8AU

Unfortunately it seems to be incompatible with some Debian packaging tools? Perhaps since this package is rather unpopular? Examples:

dpkg-deb: building package 'pbuilder-satisfydepends-dummy' in '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy.deb'.
dpkg-deb: error: failed to make temporary file (control member): No such file or directory
E: pbuilder-satisfydepends failed.

Happening during 1100_prepare-build-machine cowbuilder --create. Perhaps since environment variables user vs root do not match in chroot. Unsetting the TMP / TEMP environment variables and/or installing libpam-tmpdir in chroot does not solve this issue either.

+ /usr/lib/security-misc/apt-get-wrapper -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Acquire::Retries=3 -o Acquire::BlockDotOnion=false update
+ set -e
+ set -o pipefail
+ set -o errtrace
++ mktemp --directory
mktemp: failed to create directory via template '/tmp/user/0/tmp.XXXXXXXXXX': No such file or directory

madaidan · June 30, 2019, 1:32pm

Ohh. That makes sense. It would be good to install that by default then.

We should contact upstream about the errors.

Patrick · November 3, 2023, 2:53pm

github.com/Kicksecure/security-misc

Depend on libpam-tmpdir for very solid extra security

Kicksecure:master ← monsieuremre:PAM-tmp-files-hardening

opened 09:40AM - 02 Nov 23 UTC

monsieuremre

+1 -1

I am not quite sure if this would be the right way to add a dependency. But we s…hould definetely depend on this package. https://packages.debian.org/bookworm/libpam-tmpdir >Many programs use $TMPDIR for storing temporary files. Not all of them are good at securing the permissions of those files. libpam-tmpdir sets $TMPDIR and $TMP for PAM sessions and sets the permissions quite tight. This helps system security by having an extra layer of security, making such symlink attacks and other /tmp based attacks harder or impossible.

Patrick · November 3, 2023, 4:01pm

sudo apt install libpam-tmpdir breaks cowbuilder

Debian upstream bug report:
pbuilder: fails with cryptic message when $TMPDIR/$TEMP != /tmp (i.e. libpam-tmpdir)

Patrick · November 3, 2023, 4:13pm

This was done.

github.com/Kicksecure/genmkfile

add workaround for `libpam-tmpdir` compatibility

committed 04:01PM - 03 Nov 23 UTC

adrelanos

+22 -11

`--unset=TMPDIR` Setting `TMPDIR` breaks `pbuilder` (which gets called by `cowb…uilder`). Installing `libpam-tmpdir` (security-feature) results in these variables being set. In other words: "`sudo apt install libpam-tmpdir` breaks `cowbuilder`" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823651 https://github.com/Kicksecure/security-misc/pull/147 https://forums.whonix.org/t/make-symlink-attacks-and-other-tmp-based-attacks-harder-or-impossible-using-libpam-tmpdir/8488

This is now in the developers repository.

Patrick · November 8, 2023, 3:56pm

github.com/grml/grml-debootstrap

libpam-tmpdir breaks grml-debootstrap

opened 03:55PM - 08 Nov 23 UTC

adrelanos

https://packages.debian.org/bookworm/libpam-tmpdir breaks grml-debootstrap. `…`` + chroot /mnt/derivative-maker-grml-debootstrap.10940 dpkg --list grub-pc + echo 'Notice: grub-pc package not present yet, installing it therefore.' Notice: grub-pc package not present yet, installing it therefore. + DEBIAN_FRONTEND=noninteractive + chroot /mnt/derivative-maker-grml-debootstrap.10940 apt-get -y --no-install-recommends install -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o APT::Update::Error-Mode=any -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Apt::Install-Recommends=false -o Acquire::Retries=5 -o Dpkg::Options::=--force-confnew grub-pc Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: dmsetup gettext-base grub-common grub-pc-bin grub2-common libbrotli1 libdevmapper1.02.1 libefiboot1 libefivar1 libfreetype6 libfuse2 libpng16-16 sensible-utils ucf Suggested packages: multiboot-doc grub-emu mtools xorriso desktop-base console-setup fuse Recommended packages: os-prober The following NEW packages will be installed: dmsetup gettext-base grub-common grub-pc grub-pc-bin grub2-common libbrotli1 libdevmapper1.02.1 libefiboot1 libefivar1 libfreetype6 libfuse2 libpng16-16 sensible-utils ucf 0 upgraded, 15 newly installed, 0 to remove and 0 not upgraded. Need to get 6068 kB of archives. After this operation, 27.8 MB of additional disk space will be used. ... Setting up grub-pc (2.06-13+deb12u1) ... mktemp: failed to create file via template '/tmp/user/0/grub.XXXXXXXXXX': No such file or directory dpkg: error processing package grub-pc (--configure): installed grub-pc package post-installation script subprocess returned error exit status 1 Processing triggers for libc-bin (2.36-9+deb12u3) ... Errors were encountered while processing: grub-pc E: Sub-process /usr/bin/dpkg returned an error code (1) ``` Running: ``` chroot "${MNTPOINT}" mkdir --parents /tmp/user/0/ ``` before: ``` if ! chroot "${MNTPOINT}" dpkg --list grub-pc 2>/dev/null | grep -q '^ii' ; then echo "Notice: grub-pc package not present yet, installing it therefore." # shellcheck disable=SC2086 DEBIAN_FRONTEND=$DEBIAN_FRONTEND chroot "$MNTPOINT" apt-get -y --no-install-recommends install $DPKG_OPTIONS grub-pc fi ``` Fixes this. For the purpose of a PR to fix this: Can I add this mkdir unconditionally or should this only be done conditionally if using libpam-tmpdir (in that case environment variables TMP, TEMP and TMPDIR will be set accordingly already). I will also investigate alternative solutions. 1 comes to mind. Maybe installing libpam-tmpdir inside the chroot would prevent this too. Will test.

Patrick · November 8, 2023, 7:11pm