On Sat, Jul 01, 2006 at 09:39:28PM +0200, Joachim Schipper wrote:
> Yes, but /etc/rc doesn't:
>
> # prune quickly with one rm, then use find to clean up /tmp/[lq]*
> # (not needed with mfs /tmp, but doesn't hurt there...)
> (cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
> find . ! -name . ! -name lost+found ! -name quota.user \
> ! -name quota.group -execdir rm -rf -- {} \; -type d -prune)
>
Well spotted, solved:
$ diff /etc/rc /etc/rc.orig
450,451c450,451
< (cd /tmp && rm -rf [a-km-pr-uw-zA-Z]* &&
< find . ! -name . ! -name lost+found ! -name vi.recover ! -name
quota.user \
---
> (cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
> find . ! -name . ! -name lost+found ! -name quota.user \
Why I started doing this is because one night when I was working at an
ISP, I found an SSH zombie had gotten onto one of our DNS servers
(sales:qwerty).
While /tmp and /home were mounted noexec, /var wasn't, so the zombie
compiled its own list driven sshd in /var/tmp and went scanning for more
hosts.
I thought that if /var/tmp was a symlink to /tmp, there would be no need
to repartition the disk and it would stop users messing about with their
own executables in /var/tmp.
--
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
