Secure /tmp



This will cover securing /tmp /var/tmp and /dev/shm

Secure /tmp:



Step 1: Backup your /etc/fstab file

cp /etc/fstab /etc/fstab.bak

Step 2: Make a 3GB file for /tmp parition and an ext3 filesystem for tmp:

dd if=/dev/zero of=/var/tempFS bs=1024 count=3072000
/sbin/mkfs.ext3 /var/tempFS

*Change the count= to something higher if you need more space*

Step 3: Create a backup copy of your current /tmp drive:

cp -Rpf /tmp /tmpbackup

Step 4: Mount our new tmp parition and change permissions:

mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
chmod 1777 /tmp

Step 5: Copy the old data:

cp -Rpf /tmpbackup/* /tmp/

* If your /tmp was empty earlier, you might get this error : cp: cannot stat `/tmp.bak/*’: No such file or directory

Step 6: Edit /etc/fstab and add this:

nano -w /etc/fstab

And ADD this line:

/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0

Step 7: Test your fstab entry:

mount -o remount /tmp

Step 8: Verify that your /tmp mount is working:

df -h

Should look something like this:

/var/tempFS           962M   18M  896M   2% /tmp



Secure /var/tmp:



Step 1: Use /tmp as /var/tmp. 

mv /var/tmp /var/vartmp
ln -s /tmp /var/tmp

Step 2: Copy the old data back

cp /var/vartmp/* /tmp/

* If your /var/tmp was empty earlier, you might get this error : cp: cannot stat `/var/vartmp/*’: No such file or directory


Secure /dev/shm:



Step 1: Edit your /etc/fstab:

nano -w /etc/fstab

Locate:

none /dev/shm tmpfs defaults,rw 0 0

Change it to:

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Step 2: Remount /dev/shm:

mount -o remount /dev/shm



You should restart services that uses /tmp partition

Comment (RSS)  |  Trackback
  • Shawn

    This how to worked just fine, but 1gb wasn’t enough. /tmp is now full. Is there a way to re-size this directory. So far I haven’t found any documentation online for such a thing.

  • Shan

    when i use this mv /var/tmp /var/vartmp to secure /dev/shm it shows “mv: cannot move `/var/tmp’ to `/var/vartmp’Device or resource busy”

  • Mike Price

    Hi

    I think there is a typo in step 5:

    “cp -Rpf /tmp.bak/* /tmp/” should be “cp -Rpf /tmpbackup/* /tmp/”

    Very easy to follow though. :)

    Admin Edit: Post updated, thanks!

  • rissadum

    didnt find
    none /dev/shm tmpfs defaults,rw 0 0

    in step 1 of Secure /dev/shm:

    instead there are two lines
    none /dev/pts devpts rw 0 0
    /var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0

    what can i do?

  • syskill

    How exactly does mounting /tmp on a loopback device contribute to system security??

  • Ali

    i cant found
    “none /dev/shm tmpfs defaults,rw 0 0″

    my /etc/fstab :
    /dev/VolGroup00/LogVol00 / ext3 defaults,usrquota,grpquota 1 1
    LABEL=/boot /boot ext3 defaults 1 2
    tmpfs /dev/shm tmpfs defaults,nosuid,noexec 0 0
    devpts /dev/pts devpts gid=5,mode=620 0 0
    sysfs /sys sysfs defaults 0 0
    proc /proc proc defaults 0 0
    /dev/VolGroup00/LogVol01 swap swap defaults 0 0
    tmpfs /tmp tmpfs defaults,nosuid,noexec 0 0
    /var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0

    thanks

  • RLS Hosting

    Does this work on VPS or just Dedicated Servers? Thanks.

  • Chris

    Following the steps to secure shm, I don’t see the following line in /etc/fstab:

    none /dev/shm tmpfs defaults,rw 0 0

    Instead, the most similar I see is:

    tmpfs /dev/shm tmpfs defaults 0 0

    Thanks!

  • Tim J Birkett

    If you were mounting tmp.img as your /tmp file and wanted to add 9 GB to it:

    umount /tmp
    dd if=/dev/zero bs=1024 count=9G >> tmp.img
    resize2fs -f tmp.img
    mount -a

    you now have a 10GB /tmp file (may require service restarts / reboot)

  • Mzopg

    I did “secure /tmp” part, and now I have two /tmp:
    /dev/md2 3.9G 75M 3.6G 3% /tmp
    /var/tempFS 3.9G 75M 3.6G 3% /tmp

    Is this ok?

  • http://twitter.com/belsemtech مؤسسة البلسم

    thanks for this tutorial :)

  • guest

    it does not, but mounting with noexec does.

  • Anonymous

    Step 4: I type ‘mount -o loop,noexec,nosuid,rw /var/tempFS /tmp’ and get the message:
    “mount: no permission to look at /dev/loop#”
    how to solve this. thanks
    -saosangmo

  • Anonymous

    duplicate!
    please remove this for me!

  • Elijah

     mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
    mount: you must specify the filesystem type
      How can I solve this