secure /tmp on servers
Check if /tmp is already secure. Some servers do not use a /tmp partition while others do.-----command-----
df -h |grep tmp
-----command-----
If
that displays nothing then go below to create a tmp partition. If you
do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.
Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
-----command-----
Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y
Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----
Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----
Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----
Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----
Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
Open the file in pico:
-----command-----
pico -w /etc/fstab
-----command-----
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----
Delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----
If everything still works fine, delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----
Your
/tmp, /var/tmp, and /dev/shm are now mounted in a way that no program
can be directly run from these directories.
Category: linux - Visits: 728
No Comments - Edit - Delete