Red Hat Bugzilla – Bug 1261271
defaults are just wrong on install
Last modified: 2016-07-19 15:18:15 EDT
Description of problem:
Another LINUX-WIDE DUZY. Installation defaults, even for n00bs are way off and these settings are being used by the masses AS-IS without thought to fix the issue, or as an afterthought which in some cases cant be fixed without reinstallation.
EVEN server people are doing it wrong.
Telling me I should know better because this is not windows is inviting a flame war.WE ALL KNOW BETTER. The defaults are just plain unacceptable.Not everyone is a Linux expert elite programmer.
Nothing is locked down.Complain about hackers all you want because your setup is FUBAR. You can eliminate most hacks if you take simple steps. THESE should be the DEFAULTS.
/var/tmp (this took some time to find out) noexec,nosuid,nodev
** DO NOT BIND mount this.BIND mounting to where-ever inherits permissions **
/var/tmp is MEANT to survive reboots.
Note this needs to be big enough if you plan on spinning(20GB+)
You can make the partition, but to set it up right, you need to go into /etc/fstab and change the options post install.
[post install but could be seperate partition]
(you can size limit these also)
I picked mode 1700 for a REASON.There is NO NEED to change it.
I have hilighted PLENTY of other hacks in my kickstart and debian post-install tarball on wikis.southernhedgehogs.org.Most of the changes Ive made apply to everything and I am working on the Fedora zipfile. Ive noticed a LOT of issues with it as-is.The instructions are generally "there" and applicable.
Version-Release number of selected component (if applicable):
ALL LINUX versions
ALWAYS on install
Steps to Reproduce:
need new defaults and preconfigured packages
see the webpage mentioned and changes within the linked files for solutions. Some distros are making this a WONTFIX issue, referring this instead to HARDENING sections. There is no reason we cannot have hardened by default.
Forkbomb solution is implemented already but I dont see how or where.
dd solution can be slightly modified for admin groups IE mode 770 instead of 700.Note that despite my warning to immute the files in the core file package, this file is set immutable.
Created attachment 1071972 [details]
linux wide hacks(tarball)
took away all of the proposed xpi files and applications (700MB -> to a few KB) help file and post-install scrypt do most of the work.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.