Bug 1261271 - defaults are just wrong on install
defaults are just wrong on install
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Václav Pavlín
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-09-09 01:49 EDT by Richard Jasmin
Modified: 2016-07-19 15:18 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-07-19 15:18:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
linux wide hacks(tarball) (31.58 KB, application/octet-stream)
2015-09-09 19:24 EDT, Richard Jasmin
no flags Details

  None (edit)
Description Richard Jasmin 2015-09-09 01:49:18 EDT
Description of problem:
Another LINUX-WIDE DUZY. Installation defaults, even for n00bs are way off and these settings are being used by the masses AS-IS without thought to fix the issue, or as an afterthought which in some cases cant be fixed without reinstallation.

EVEN server people are doing it wrong.

Telling me I should know better because this is not windows is inviting a flame war.WE ALL KNOW BETTER. The defaults are just plain unacceptable.Not everyone is a Linux expert elite programmer.

Nothing is locked down.Complain about hackers all you want because your setup is FUBAR. You can eliminate most hacks if you take simple steps. THESE should be the DEFAULTS.

[seperate partition]
/var/tmp (this took some time to find out) noexec,nosuid,nodev

** DO NOT BIND mount this.BIND mounting to where-ever inherits permissions **
/var/tmp is MEANT to survive reboots.

Note this needs to be big enough if you plan on spinning(20GB+)
You can make the partition, but to set it up right, you need to go into /etc/fstab and change the options post install.

[post install but could be seperate partition]
(you can size limit these also)
/tmp noatime,nodiratime,nosuid,nodev,noexec,mode=1700
/dev/shm noatime,nodiratime,nosuid,nodev,noexec,mode=1700

I picked mode 1700 for a REASON.There is NO NEED to change it.

I have hilighted PLENTY of other hacks in my kickstart and debian post-install tarball on wikis.southernhedgehogs.org.Most of the changes Ive made apply to everything and I am working on the Fedora zipfile. Ive noticed a LOT of issues with it as-is.The instructions are generally "there" and applicable.

Version-Release number of selected component (if applicable):
ALL LINUX versions

How reproducible:
ALWAYS on install

Steps to Reproduce:
1.install linux

Actual results:

Expected results:
need new defaults and preconfigured packages

Additional info:
see the webpage mentioned and changes within the linked files for solutions. Some distros are making this a WONTFIX issue, referring this instead to HARDENING sections. There is no reason we cannot have hardened by default.

Forkbomb solution is implemented already but I dont see how or where.
dd solution can be slightly modified for admin groups IE mode 770 instead of 700.Note that despite my warning to immute the files in the core file package, this file is set immutable.
Comment 1 Richard Jasmin 2015-09-09 19:24:12 EDT
Created attachment 1071972 [details]
linux wide hacks(tarball)
Comment 2 Richard Jasmin 2015-09-09 19:26:01 EDT
took away all of the proposed xpi files and applications (700MB -> to a few KB) help file and post-install scrypt do most of the work.
Comment 3 Fedora End Of Life 2016-07-19 15:18:15 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.