The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure temp (/scripts/securetmp) not working!!!!

Discussion in 'General Discussion' started by jols, Sep 15, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    We usually see this when running df -h (excerpt):

    Mounted on
    /
    /boot
    /tmp
    /dev/shm
    /var/tmp


    But I was surprised to see this just now instead:

    Mounted on
    /
    /boot
    /dev/shm
    /tmp


    So when I ran /scripts/securetmp, I got this:

    Mounted on
    /
    /boot
    /dev/shm
    /tmp
    /tmp


    When I ran /scripts/securetmp again, I got this:

    Mounted on
    /
    /boot
    /dev/shm
    /tmp
    /tmp
    /tmp


    Can anyone help?
     
  2. rootsupport

    rootsupport Member

    Joined:
    May 2, 2006
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

    This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.

    The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
    -----command-----
    df -h |grep tmp
    -----command-----


    If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
    -----command-----
    cat /etc/fstab |grep tmp
    -----command-----

    If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

    Create a ~800Mb partition
    -----command-----
    cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
    -----command-----

    Format the partion
    -----command-----
    mkfs.ext2 /dev/tmpMnt
    -----command-----
    When it asks about not being a block special device press Y


    Make a backup of the old data
    -----command-----
    cp -Rp /tmp /tmp_backup
    -----command-----

    Mount the temp filesystem
    -----command-----
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
    -----command-----

    Set the permissions
    -----command-----
    chmod 0777 /tmp
    -----command-----

    Copy the old files back
    -----command-----
    cp -Rp /tmp_backup/* /tmp/
    -----command-----

    Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

    Open the file in pico:
    -----command-----
    pico -w /etc/fstab
    -----command-----
    Now add this single line at the bottom:

    /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

    While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
    none /dev/shm tmpfs noexec,nosuid 0 0

    Umount and remount /dev/shm for the changes to take effect.
    -----command-----
    umount /dev/shm
    mount /dev/shm
    -----command-----

    Next delete the old /var/tmp and create a link to /tmp
    -----command-----
    rm -rf /var/tmp/
    ln -s /tmp/ /var/
    -----command-----

    If everything still works fine you can go ahead and delete the /tmp_backup directory.
    -----command-----
    rm -rf /tmp_backup
    -----command-----


    You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.

    Hope this article will help you.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks a bunch for your response.

    Looks like we may be secure?:

    root@(servername) [~]# cat /etc/fstab |grep tmp
    /dev/sda3 /tmp ext3 defaults,noexec,nosuid,nodev 1 2
    none /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0


    The puzzeling part is that each time I run /scripts/securetmp I get another tmp partitiion. Currently:

    root@(servername) [~]# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/sda5 227G 66G 149G 31% /
    /dev/sda1 99M 12M 83M 12% /boot
    none 1014M 0 1014M 0% /dev/shm
    /dev/sda3 1012M 34M 927M 4% /tmp
    /tmp 1012M 34M 927M 4% /tmp
    /tmp 1012M 34M 927M 4% /tmp


    From other cPanel servers, we get no such result (in any case), and doing df -h with any of these, shows the expected:

    root@(servername) [~]# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/sda3 66G 54G 8.9G 86% /
    /dev/sda1 99M 16M 79M 17% /boot
    none 1004M 0 1004M 0% /dev/shm
    /usr/tmpDSK 485M 13M 447M 3% /tmp
    /tmp 485M 13M 447M 3% /var/tmp
     
  4. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
    dd: writing `tmpMnt': No space left on device
    1+0 records in
    0+0 records out

    What can I do in regards to no space left on device?
     
  5. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Anyone?


    .
     
  6. wites

    wites Registered

    Joined:
    Jun 28, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    after issuing the command, i got this

    /dev/sda6 1012M 34M 927M 4% /tmp

    so that means i already have a /tmp partition

    again, after issuing the command above, i have this

    none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
    LABEL=/tmp /tmp ext3 defaults 1 2


    now, do i still have to do the instructions below? do i still have to create tmpMnt. or do i have to skip some of them? if i do, where should i start? your help would be much appreciated. thanks.

     
  7. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    You don't have that much space left on the drive in the box. Lower the 800000, though truly if you don't have that much room on the box, anything less is going to cause you problems anyway. Did you have a tmp previously?

    Edit: Just realized this thread is couple months old - apologies. ;)
     
    #7 mctDarren, Dec 19, 2006
    Last edited: Dec 19, 2006
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Shouldn't be too puzzling, since what that script does is essentially what the how to posted here does. Sets up a virtual directory and mounts it as noexec. :)
     
    #8 mctDarren, Dec 19, 2006
    Last edited: Dec 19, 2006
  9. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    No, you already have a virtual directory - essentially their "tmpMnt" is your "tmpfs". If you loaded up /etc/fstab in your favorite editor you would see the lines above near the bottom in there. fstab is basically your filesystem and it's mounting procedures in a nice little table for you. Edit it and restart and your box will mount drives according to this file.

    What the how to is doing is simple: creating a file, mounting it as a directory (tmp) and setting permissions on it through the fstab. It's a fast and easy way to a nice, neat tmp directory you can easily change or dump later.

    Credit to Steve Leggett (Ramprage) over at webhostgear.com for coming up with this over 3 years ago. If you liked this helpful hint I would suggest you check out his site!
     
  10. wites

    wites Registered

    Joined:
    Jun 28, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    thank you for the reply but the reason i'm asking this is that i was able to run programs like this "hello" script on my /tmp folder.

    Code:
    #hello.c
    #include <stdio.h>
    
    int main (void)
    {
            printf("Hello, World!");
            return 1;
    }
    
    here's a copy of my fstab.

    Code:
    LABEL=/                 /                       ext3    defaults,usrquota        1 1
    LABEL=/backup           /backup                 ext3    defaults        1 2
    LABEL=/boot             /boot                   ext3    defaults        1 2
    none                    /dev/pts                devpts  gid=5,mode=620  0 0
    LABEL=/home             /home                   ext3    defaults,usrquota        1 2
    none                    /proc                   proc    defaults        0 0
    none                    /dev/shm                tmpfs   defaults,nosuid,noexec,rw       0 0
    LABEL=/tmp              /tmp                    ext3    defaults        1 2
    LABEL=/usr              /usr                    ext3    defaults,usrquota        1 2
    LABEL=/var              /var                    ext3    defaults,usrquota        1 2
    /dev/sda8               swap                    swap    defaults        0 0
    /dev/cdrom              /mnt/cdrom              udf,iso9660 noauto,owner,kudzu,ro 0 0
    /dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0
    

     
  11. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    My apologies, looks like I glanced over your grep results too quickly. :) Change the line:
    Code:
    LABEL=/tmp              /tmp                    ext3    defaults        1 2
    to look like
    Code:
    LABEL=/tmp              /tmp                    ext3    loop,nosuid,noexec,rw       0 0
    and then you'll either have to remount tmp or restart the box. By the way, if you followed the procedure given in the post here and manually added this line make sure you use "ext2" not "ext3" as your fs type. This doesn't appear to be your case, though, Wites. Hope that helps.
     
  12. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    With sufficiently nwe Linux systems, the following will remount:
    Code:
    mount -o remount /tmp
    
    You can do that for nearly any mounted device, just substitute the appropriate mount point for /tmp. Of coursee, if the information is not in your /etc/fstab file, you may have to specify all themount options.
     
  13. wites

    wites Registered

    Joined:
    Jun 28, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    webtiva & cpanelkenneth: thank you both. i have my /tmp secured.



     
Loading...

Share This Page