I have created a really really short life temporary directory that I wanted to share between some users for a few hours : /some/path/tmp
Unfortunately I have launched sudo chown 777 -R /tmp
instead of sudo chown 777 -R tmp
, so my /tmp
file is now completely public.
Is it a security concern now that it is completely set to public? Should I change it back to more secure settings? What are the correct permissions for /tmp
?
Best Answer
The normal settings for
/tmp
are 1777, whichls
shows asdrwxrwxrwt
. That is: wide open, except that only the owner of a file can remove it (that's what this extrat
bit means for a directory).The problem with a
/tmp
with mode 777 is that another user could remove a file that you've created and substitute the content of their choice.If your
/tmp
is a tmpfs filesystem, a reboot will restore everything. Otherwise, runchmod 1777 /tmp
.Additionally, a lot of files in
/tmp
need to be private. However, at least one directory critically needs to be world-readable:/tmp/.X11-unix
, and possibly some other similar directories (/tmp/.XIM-unix
, etc.). The following command should mostly set things right:I.e. make all files and directories private (remove all permissions for group and other), but make the X11 sockets accessible to all. Access control on these sockets is enforced by the server, not by the file permissions. There may be other sockets that need to be publicly available. Run
find /tmp -type s -user 0
to discover root-owned sockets which you may need to make world-accessible. There may be sockets owned by other system users as well (e.g. to communicate with a system bus); explore withfind /tmp -type s ! -user $UID
(where$UID
is your user ID).