Puppy Linux Blog

About





This Blog:
PRITLOG is an extremely simple, small and powerful blog system. Just drop Pritlog into your server and it starts running. No separate installation is required. The basic idea is derived from a similar app called PPLOG.

Main Menu

Home New Entry Archive RSS Feeds Admin

Categories

musicsecurityrecipeslinuxnetworkingsshnetstatmediatombffmpegemailmplayerinternet

Pages

SSHFSEncryptionBaby Back RibsBlue Cheese DressingSour Cream CheesecakeShrimp GumboClam Chowder

Links

GoogleGet PritlogGet PPLOG Maine Trapshooting

Stats

Users Online: 0
Hits: 0

secure /tmp on servers

Check if /tmp is already secure. Some servers do not use a /tmp partition while others do.
-----command-----
df -h |grep tmp
-----command-----

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
-----command-----

Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y

Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----

Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----

Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----

Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in pico:
-----command-----
pico -w /etc/fstab
-----command-----

Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----

Delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----

If everything still works fine,  delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----

Your /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.


Author: admin -  Date: 12 Jan 2020 07:31
Category: linux -  Visits: 714
No Comments - Edit - Delete

Comments:

No comments posted yet!


Add Comment

Comment Form







 (J1JVQS.G)