Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Secure /tmp partition

Discussion in 'General Discussion' started by gopal, Jul 20, 2004.

  1. gopal

    gopal Guest

    If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
    Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

    What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

    code:
    cd /dev

    Create 100MB file for our /tmp partition. If you need more space, make count size larger.

    code:
    dd if=/dev/zero of=tmpMnt bs=1024 count=100000


    Make an extended filesystem for our tmpMnt file

    code:
    /sbin/mke2fs /dev/tmpMnt

    Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

    code:
    cd /

    code:
    cp -R /tmp /tmp_backup

    Mount the new /tmp filesystem with noexec

    code:
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

    code:
    chmod 0777 /tmp

    Copy everything back to new /tmp and remove backup

    code:
    cp -R /tmp_backup/* /tmp/

    code:
    rm -rf /tmp_backup

    Now we need to add this to fstab so it mounts automatically on reboots.

    code:
    pico -w /etc/fstab

    You should see something like this:
    code:
    /dev/hda3 / ext3 defaults,usrquota 1 1
    /dev/hda1 /boot ext3 defaults 1 2
    none /dev/pts devpts gid=5,mode=620 0 0
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    /dev/hda2 swap swap defaults 0 0


    At the bottom add
    code:
    /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

    (Each space is a tab)
    Save it!
    Ctrl + X and Y

    Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

    code:
    bash: ./a.out: Permission denied

    Yay! /tmp no longer has execute permissions :-D
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Or, just run /scripts/securetmp and save yourself the hassle :rolleyes:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. gopal

    gopal Guest

    Hi Chirphy,

    This is the general thing not only for cpanel it applied for all linux os.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    However, this is the cPanel forums so you're more than likely going to have people coming here for a cPanel solution. Why do all that work when you can just run one script?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    166
    does that trick worked on a VPS?

    i run /scripts/securetmp on my VPS but it doesn't worked, users still can write and running script in /tmp
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Securing /tmp is something of a false security, to be honest. You will still be able to copy scripts to it and then run them through the interpreter. So, this shouldn't work:

    /tmp/script.pl

    But this always will:

    perl /tmp/script.pl
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    166
    but if users can't write/copy files to /tmp then they can't running any script

    i guess securing /tmp is to make it not writeable too?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    No, /tmp should always be writeable to everyone - it's the place where temporary files are meant to be created by CGI scripts, PHP scripts, server services, etc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    166
    so it is impossible then, to protect our server from users installing IRC bot, psyBNC, etc? :confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Well, users can install anything into their own web space. /tmp/ protection is about making it harder for hackers who use vulnerabilities in your users CGI/PHP scripts to upload files to your /tmp/ directory.

    Your best defence is a correctly configured hardware or software (iptables) firewall that blocks unused in and out going ports.

    cPanel does have limited ability to get rid of some of those things WHM > System Health > Background Process Killer

    You should also enable fork bomb protection under WHM > Shell Fork Bomb Protection

    The rest is about knowing your server and checking it with security apps and sys admin tools.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. WhatsYourDomain

    Joined:
    Mar 14, 2006
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    what about vps

    I get:

    # /scripts/securetmp
    Would you like to secure /tmp & /var/tmp at boot time? (y/n) y
    Would you like to secure /tmp & /var/tmp now? (y/n) y
    Securing /tmp & /var/tmp
    The system does not support loop devices.

    filesystems:

    # df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/simfs 245G 2.7G 242G 2% /

    How can I mount /tmp as a partition? Or is that not needed.
     
  12. WhatsYourDomain

    Joined:
    Mar 14, 2006
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    this worked for me.

    mount -o bind,nosuid,noexec,nodev,rw /var/tmp /tmp

    /scripts/securetmp
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice