1

The CIS standard for Ubuntu 14.04 LTS (01-07-2015) states that the /tmp directory should be mounted with a nodev flag - this is under the FileSystem Configuration (Section 2). This prevents the creation of block and character special devices.

Is someone able to confirm how could an attacker exploit not mounting the /tmp directory with nodev flag?

To my understanding, the device files (which to my understanding allow low-level connection to connected hardware devices) generally appear in /dev directory for connecting devices and are typically not accessible unless you have a root or tty user. The /dev directory is also not writable by a user other than root.

schroeder
  • 123,438
  • 55
  • 284
  • 319
John
  • 223
  • 3
  • 13

1 Answers1

1

With the mknod command it is possible to create device files other than those that already exist in /dev.

$ sudo mknod /tmp/sda b 8 0 
$ fdisk -l /tmp/sda
Disk sda: 80 GiB, 85899345920 bytes, 167772160 sectors
...

When a filesystem is mounted nodev, you can still create such device-files, but they are no longer usable.

An attack on /tmp files works like this. A program with elevated privileges opens some temprary file in /tmp and writes something to it. An attacker will beforehand do something to this file so that the program actually writes to another file.

  • The attacker symlinks /tmp/tmp1234 to /etc/passwd.
  • Root runs some program which writes to /tmp/tmp1234 as a temporary file.
  • /etc/passwd gets overwritten.

You can see that if /tmp/tmp1234 is not a symbolic link but a device file instead, the program would write to /dev/sda, or some other device, which could have bad results.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    Your proposed scenario requires root to create the device file in the first place, which would be highly unusual. All the digression about symlinks in your answer is irrelevant. – Gilles 'SO- stop being evil' Sep 12 '16 at 08:51