Namespaces

Enabling per-user /tmp directory

It's a good choice to have per-user /tmp directories, as this will prevent unprivileged users from seeing other users files. IBM has a good guide on how to setup PAM for that (https://www.ibm.com/developerworks/library/l-polyinstantiation/)

The steps below are shamelessly copies from IBM:

nano /etc/security/namespace.conf

/tmp     /tmp/tmp-inst/         user       root,adm
/var/tmp /var/tmp/tmp-inst/     user       root,adm

Next we need to create those directories:

mkdir /tmp/tmp-inst
mkdir /var/tmp/tmp-inst
chown root:root /tmp/tmp-inst /var/tmp/tmp-inst
chmod 000 /tmp/tmp-inst /var/tmp/tmp-inst

and enable the namespace module:

nano /etc/pam.d/login && nano /etc/pam.d/sshd

session    required     pam_namespace.so // to be added at the end

Going even further

If your system is going to be used by multiple users, keep in mind that one cannot trust them. It is not even required that your users want to damage you, but one might got social-engineered, thus allowing a hacker to enter your system.

If you are really into securing your box from unprivileged users, you can checkout the following projects:

• https://github.com/joehakimrahme/Agros
• http://l3net.wordpress.com/projects/firejail/
• http://olivier.sessink.nl/jailkit/