I have created a really really short life temporary directory that I wanted to share between some users for a few hours : /some/path/tmp
Unfortunately I have launched sudo chown 777 -R /tmp instead of sudo chown 777 -R tmp, so my /tmp file is now completely public.
Is it a security concern now that it is completely set to public? Should I change it back to more secure settings? What are the correct permissions for /tmp?
Best Answer
The normal settings for
/tmpare 1777, whichlsshows asdrwxrwxrwt. That is: wide open, except that only the owner of a file can remove it (that's what this extratbit means for a directory).The problem with a
/tmpwith mode 777 is that another user could remove a file that you've created and substitute the content of their choice.If your
/tmpis a tmpfs filesystem, a reboot will restore everything. Otherwise, runchmod 1777 /tmp.Additionally, a lot of files in
/tmpneed to be private. However, at least one directory critically needs to be world-readable:/tmp/.X11-unix, and possibly some other similar directories (/tmp/.XIM-unix, etc.). The following command should mostly set things right:I.e. make all files and directories private (remove all permissions for group and other), but make the X11 sockets accessible to all. Access control on these sockets is enforced by the server, not by the file permissions. There may be other sockets that need to be publicly available. Run
find /tmp -type s -user 0to discover root-owned sockets which you may need to make world-accessible. There may be sockets owned by other system users as well (e.g. to communicate with a system bus); explore withfind /tmp -type s ! -user $UID(where$UIDis your user ID).