On Friday, 2023-05-12 at 21:48:55 -0400, Michael Lazin wrote: > The thing that caught my eye is disabling execution for /tmp. I > managed thousands of Debian servers at one time and I often found hacker > scripts in ./tmp because of a Wordpress exploit. This is because /tmp is > world writable and presumably people who don't know better are unlikely to > look for bad scripts there. While I agree pulling third scripts with curl > is cringe-worthy I think Ossec HIDS is an exception because it is GNU > Public licensed.
Because of a bug in the current version of Nitrokey's App 2 I became aware that the /tmp on the machine I tested that app on was set to default, i.e. rw,noatime. I set it to rw,nosuid,nodev,noexec,noatime only to find out that the app did some dirty tricks to run that did not work anymore with those mount options. See my ticket on Github: https://github.com/Nitrokey/nitrokey-app2/issues/54#issuecomment-1525455482 The problem is pyinstaller. Which means that using a secure /tmp prevents this from working. I did not check if pyinstaller respects TMPDIR or some such ENV variable. But in the general case, one can't rely on this for every braindead installer. HTH, Lupe Christoph PS: BTW, just because something is GPLed does not mean it's trustworthy. -- | Never attribute to malice that which is adequately explained by stupidity. | | Hanlon's razor | | Never attribute to malice that which can adequately be explained by awarding | | every job to the lowest bidder. | | From The Daily WTF https://thedailywtf.com/articles/thanks |
