Wednesday, July 22, 2009

Securing /tmp and /dev/shm

The first step is to check if /tmp is already secure. Some data centers do not create a /tmp partition while others do.

#df -h |grep tmp


If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.

#cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~1000Mb partition

#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1000000

Format the partion

#mkfs.ext2 /dev/tmpMnt

When it asks about not being a block special device press Y


Make a backup of the old data

#cp -Rp /tmp /tmp_backup

Mount the temp filesystem

#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions

#chmod 0777 /tmp

Copy the old files back

#cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in vi:

#vi /etc/fstab

Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:

none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.

#umount /dev/shm
#mount /dev/shm


Next delete the old /var/tmp and create a link to /tmp

#rm -rf /var/tmp/
#ln -s /tmp/ /var/


If everything still works fine you can go ahead and delete the /tmp_backup directory.

#rm -rf /tmp_backup

You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.

No comments:

Post a Comment