Securing /tmp

[dannygoh]

Hi,

Can some post a step by step or a link to securing /tmp on a CentOS 4.2

[jmstacey]

Searching google, I found this rough howto that may be useful for you. If not I'm sure there are lots more out there
Source: http://www.fedoraforum.org/forum/arc...p/t-44729.html

Quote:

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

code:
cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

code:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000



Make an extended filesystem for our tmpMnt file

code:
/sbin/mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

code:
cd /

code:
cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

code:
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

code:
chmod 0777 /tmp

Copy everything back to new /tmp and remove backup

code:
cp -R /tmp_backup/* /tmp/

code:
rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

code:
pico -w /etc/fstab

You should see something like this:
code:
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0

At the bottom add
code:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)
Save it!
Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

code:
bash: ./a.out: Permission denied

[truenegative]

thats good information!

[jlasman]

If you're like most of us you're going to need a lot more than 100MB; we generally use 1G, if it's available.

Jeff

[empoweri]

I understand the concept but why do this?? sure you'll protect the /tmp folder but what prevents other folders on the system to be used?

Most hackers get in via some insecure application, from there then write files within the site that was broken into.

[dannygoh]

After it restarted, it can not remount the tmpMnt

Mar 7 16:39:45 server mount: /dev/tmpMnt: No such file or directory

[toml]

empoweri:
You would do this, because /tmp is usually the only directory you can be sure will exist and be writeable by all. And a lot of scripts that the script kiddies use try to execute programs from /tmp.

dannygoh:
I am guessing that you are using devfs or udev and most likely at reboot your tmpDev file and everything else in /dev was removed. I would try redoing everything, except putting the file somewhere else besides /dev, like /var or somewhere else more permanent.

[jlasman]

Ouch! I didn't notice that Jon's example was using /dev as the place to put the tmpMnt file. /dev is NOT a good place; it can be rebuilt each time the OS is restarted.

Thanks for the catch, toml.

Jeff

[jmstacey]

Here's what I used and it's working fine for me: (you'll probably want to increase the sizes though )

Code:

cp /etc/fstab /etc/fstab.original

cd /dev
dd if=/dev/zero of=Tmp bs=1024 count=512000
dd if=/dev/zero of=varTmp bs=1024 count=102400

mkfs -t ext3 /dev/Tmp
mkfs -t ext3 /dev/varTmp

cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/Tmp /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t /tmp

cd /var/
cp -aR /var/tmp /var/tmp_backup
mount -o loop,noexec,nosuid,rw /dev/varTmp /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/
chmod 0777 /var/tmp
chmod +t /var/tmp

df -h (Confirm everything is working)

Add the mount to your /etc/fstab
/dev/Tmp        /tmp            ext3    loop,noexec,nosuid,rw   0       0
/dev/varTmp     /var/tmp        ext3    loop,noexec,nosuid,rw   0       0

[jlasman]

Jon,

/dev is actually reserved for OS use. It's a directory reserved for building a file structure that's really a look into the internals of the kernel.

As that, there's nothing in the linux or unix definitions to require that it not be rebuilt every time a system is started, and toml's post is absolutely correct.

I haven't studied either devfs or udev, so I'm not sure, but dannygoh's experience makes sense.

I'd definitely use a different mount point.

Jeff

[unixexperts]

Here is my position:

[root@server ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 70G 26G 41G 40% /
/dev/sda1 99M 22M 73M 23% /boot
none 1013M 0 1013M 0% /dev/shm
/usr/tmpDSK 485M 41M 419M 9% /tmp
/tmp 485M 41M 419M 9% /var/tmp
[root@server ~]#

[Maniak]

Hello,

I run Fedora Core 3, this work fine, until reboot.

Reason : I run raid-1 (hardware), how can I have this still working at reboot with RAID-1 ?

Looking forward to hear someone.

:-)

[toml]

Raid-1 should have nothing to do with this not working. Raid-1 should be transparent to the underlying filesystems. What is happening on your system? What steps did you take to set it up? I assume you read this whole thread and weren't putting the tmpfs in /dev for the reasons stated above.

[Maniak]

Hello,

yes is placed them in /dev, but I'd like to ask you, where can I store them if not in /dev, because elsewhere I'm not able to do it.

The command simply does not goes.

Where do you advice me to place it?

[toml]

That is your problem. Some Linux distributions uses a the devfs to recreate the /dev fileystem each time the system is booted. You should place that file somewhere else. For example:

Code:

dd if=/dev/zero of=/var/TmpFS bs=1024 count=102400

mkfs -t ext3 /var/TmpFS

edit /etc/fstab:
/tmp/TmpFS     /tmp        ext3    loop,noexec,nosuid,rw   0       0

If done as root, there should be no reason any of these commands should fail.

[Maniak]

Hey ! Thanks.

I did a typo mistake with my target.

This went fine :

Quote:

cd /var
dd if=/dev/zero of=/var/TmpFS bs=1024 count=1024000
mkfs -t ext3 /var/TmpFS
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /var/TmpFS /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp

---

vi /etc/fstab
/var/TmpFS /tmp ext3 loop,noexec,nosuid,rw 0 0

Thanks.

[durjoy]

dear manika , i have followed your instrtuctions and made my tmp folder secure these . everything were runnig fine yesterday, even when i reboot the system. all the daemon start without any problem,

these morning i woke up with one of my friends call. he told my site is offline .

OMG, everything messed up . none of my site is runnig .

after rebooting serveral times now httpd is started but no luck with mysql



i am in deep **** .. plz help ..

[floyd]

http://www.directadmin.com/forum/sho...t=29608&page=2

[durjoy]

dear flyod ,

thank you so much for you help. can u please instruct me . how can i undo these folder securing things . i have to resume my website ASAP, some of my clients sites are runniung there .

i will try to re-secure /tmp folder later on .

thank u so much

[floyd]

I don't know why the web sites are not running unless they are required to use the /tmp directory and cannot for some reason. I cannot tell you how to fix something when I cannot be sure of what you did or what the current situation is. Since I cannot see your server anything I tell you might make things worse. Several of us here do this for a living and can help you for usually a small fee and the work is guaranteed.

I am not here to try to make money off of you. But I am not going to try to blindly tell you what to do and then get the blame when things get worse.