Secure temp (/scripts/securetmp) not working!!!!

[jols]

We usually see this when running df -h (excerpt):

Mounted on
/
/boot
/tmp
/dev/shm
/var/tmp


But I was surprised to see this just now instead:

Mounted on
/
/boot
/dev/shm
/tmp


So when I ran /scripts/securetmp, I got this:

Mounted on
/
/boot
/dev/shm
/tmp
/tmp


When I ran /scripts/securetmp again, I got this:

Mounted on
/
/boot
/dev/shm
/tmp
/tmp
/tmp


Can anyone help?

 

[rootsupport]

Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.

The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
-----command-----
df -h |grep tmp
-----command-----


If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
-----command-----

Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y


Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----

Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----

Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----

Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in pico:
-----command-----
pico -w /etc/fstab
-----command-----
Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----

Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----

If everything still works fine you can go ahead and delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----


You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.

Hope this article will help you.

 

[jols]

Thanks a bunch for your response.

Looks like we may be secure?:

[email protected](servername) [~]# cat /etc/fstab |grep tmp
/dev/sda3 /tmp ext3 defaults,noexec,nosuid,nodev 1 2
none /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0


The puzzeling part is that each time I run /scripts/securetmp I get another tmp partitiion. Currently:

[email protected](servername) [~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 227G 66G 149G 31% /
/dev/sda1 99M 12M 83M 12% /boot
none 1014M 0 1014M 0% /dev/shm
/dev/sda3 1012M 34M 927M 4% /tmp
/tmp 1012M 34M 927M 4% /tmp
/tmp 1012M 34M 927M 4% /tmp


From other cPanel servers, we get no such result (in any case), and doing df -h with any of these, shows the expected:

[email protected](servername) [~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 66G 54G 8.9G 86% /
/dev/sda1 99M 16M 79M 17% /boot
none 1004M 0 1004M 0% /dev/shm
/usr/tmpDSK 485M 13M 447M 3% /tmp
/tmp 485M 13M 447M 3% /var/tmp

 

[Solokron]

cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
dd: writing `tmpMnt': No space left on device
1+0 records in
0+0 records out

What can I do in regards to no space left on device?

 

[Solokron]

Anyone?


.

cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
dd: writing `tmpMnt': No space left on device
1+0 records in
0+0 records out

What can I do in regards to no space left on device?

 

[wites]

The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
-----command-----
df -h |grep tmp
-----command-----

If that displays nothing then go below to create a tmp partition.

after issuing the command, i got this

/dev/sda6 1012M 34M 927M 4% /tmp

so that means i already have a /tmp partition

If you do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

again, after issuing the command above, i have this

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
LABEL=/tmp /tmp ext3 defaults 1 2

now, do i still have to do the instructions below? do i still have to create tmpMnt. or do i have to skip some of them? if i do, where should i start? your help would be much appreciated. thanks.

Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
-----command-----

Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y


Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----

Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----

Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----

Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in pico:
-----command-----
pico -w /etc/fstab
-----command-----
Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----

Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----

If everything still works fine you can go ahead and delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----


You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.

 

[mctDarren]

cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
dd: writing `tmpMnt': No space left on device
1+0 records in
0+0 records out

What can I do in regards to no space left on device?

You don't have that much space left on the drive in the box. Lower the 800000, though truly if you don't have that much room on the box, anything less is going to cause you problems anyway. Did you have a tmp previously?

Edit: Just realized this thread is couple months old - apologies.

 

[mctDarren]

The puzzeling part is that each time I run /scripts/securetmp I get another tmp partitiion.

Shouldn't be too puzzling, since what that script does is essentially what the how to posted here does. Sets up a virtual directory and mounts it as noexec.

 

[mctDarren]

again, after issuing the command above, i have this

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
LABEL=/tmp /tmp ext3 defaults 1 2

now, do i still have to do the instructions below?

No, you already have a virtual directory - essentially their "tmpMnt" is your "tmpfs". If you loaded up /etc/fstab in your favorite editor you would see the lines above near the bottom in there. fstab is basically your filesystem and it's mounting procedures in a nice little table for you. Edit it and restart and your box will mount drives according to this file.

What the how to is doing is simple: creating a file, mounting it as a directory (tmp) and setting permissions on it through the fstab. It's a fast and easy way to a nice, neat tmp directory you can easily change or dump later.

Credit to Steve Leggett (Ramprage) over at webhostgear.com for coming up with this over 3 years ago. If you liked this helpful hint I would suggest you check out his site!

 

[wites]

thank you for the reply but the reason i'm asking this is that i was able to run programs like this "hello" script on my /tmp folder.

#hello.c
#include <stdio.h>

int main (void)
{
        printf("Hello, World!");
        return 1;
}

here's a copy of my fstab.

LABEL=/                 /                       ext3    defaults,usrquota        1 1
LABEL=/backup           /backup                 ext3    defaults        1 2
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
LABEL=/home             /home                   ext3    defaults,usrquota        1 2
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   defaults,nosuid,noexec,rw       0 0
LABEL=/tmp              /tmp                    ext3    defaults        1 2
LABEL=/usr              /usr                    ext3    defaults,usrquota        1 2
LABEL=/var              /var                    ext3    defaults,usrquota        1 2
/dev/sda8               swap                    swap    defaults        0 0
/dev/cdrom              /mnt/cdrom              udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0

No, you already have a virtual directory - essentially their "tmpMnt" is your "tmpfs". If you loaded up /etc/fstab in your favorite editor you would see the lines above near the bottom in there. fstab is basically your filesystem and it's mounting procedures in a nice little table for you. Edit it and restart and your box will mount drives according to this file.

What the how to is doing is simple: creating a file, mounting it as a directory (tmp) and setting permissions on it through the fstab. It's a fast and easy way to a nice, neat tmp directory you can easily change or dump later.

Credit to Steve Leggett (Ramprage) over at webhostgear.com for coming up with this over 3 years ago. If you liked this helpful hint I would suggest you check out his site!

 

[mctDarren]

My apologies, looks like I glanced over your grep results too quickly. Change the line:

LABEL=/tmp              /tmp                    ext3    defaults        1 2

to look like

LABEL=/tmp              /tmp                    ext3    loop,nosuid,noexec,rw       0 0

and then you'll either have to remount tmp or restart the box. By the way, if you followed the procedure given in the post here and manually added this line make sure you use "ext2" not "ext3" as your fs type. This doesn't appear to be your case, though, Wites. Hope that helps.

 

[cPanelKenneth]

and then you'll either have to remount tmp or restart the box.

With sufficiently nwe Linux systems, the following will remount:

mount -o remount /tmp

You can do that for nearly any mounted device, just substitute the appropriate mount point for /tmp. Of coursee, if the information is not in your /etc/fstab file, you may have to specify all themount options.

 

[wites]

webtiva & cpanelkenneth: thank you both. i have my /tmp secured.

With sufficiently nwe Linux systems, the following will remount:

mount -o remount /tmp

You can do that for nearly any mounted device, just substitute the appropriate mount point for /tmp. Of coursee, if the information is not in your /etc/fstab file, you may have to specify all themount options.