The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure /tmp partition

Discussion in 'General Discussion' started by gopal, Jul 20, 2004.

  1. gopal

    gopal Guest

    If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
    Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

    What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

    code:
    cd /dev

    Create 100MB file for our /tmp partition. If you need more space, make count size larger.

    code:
    dd if=/dev/zero of=tmpMnt bs=1024 count=100000


    Make an extended filesystem for our tmpMnt file

    code:
    /sbin/mke2fs /dev/tmpMnt

    Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

    code:
    cd /

    code:
    cp -R /tmp /tmp_backup

    Mount the new /tmp filesystem with noexec

    code:
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

    code:
    chmod 0777 /tmp

    Copy everything back to new /tmp and remove backup

    code:
    cp -R /tmp_backup/* /tmp/

    code:
    rm -rf /tmp_backup

    Now we need to add this to fstab so it mounts automatically on reboots.

    code:
    pico -w /etc/fstab

    You should see something like this:
    code:
    /dev/hda3 / ext3 defaults,usrquota 1 1
    /dev/hda1 /boot ext3 defaults 1 2
    none /dev/pts devpts gid=5,mode=620 0 0
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    /dev/hda2 swap swap defaults 0 0


    At the bottom add
    code:
    /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

    (Each space is a tab)
    Save it!
    Ctrl + X and Y

    Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

    code:
    bash: ./a.out: Permission denied

    Yay! /tmp no longer has execute permissions :-D
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Or, just run /scripts/securetmp and save yourself the hassle :rolleyes:
     
  3. gopal

    gopal Guest

    Hi Chirphy,

    This is the general thing not only for cpanel it applied for all linux os.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    However, this is the cPanel forums so you're more than likely going to have people coming here for a cPanel solution. Why do all that work when you can just run one script?
     
  5. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    does that trick worked on a VPS?

    i run /scripts/securetmp on my VPS but it doesn't worked, users still can write and running script in /tmp
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Securing /tmp is something of a false security, to be honest. You will still be able to copy scripts to it and then run them through the interpreter. So, this shouldn't work:

    /tmp/script.pl

    But this always will:

    perl /tmp/script.pl
     
  7. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    but if users can't write/copy files to /tmp then they can't running any script

    i guess securing /tmp is to make it not writeable too?
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, /tmp should always be writeable to everyone - it's the place where temporary files are meant to be created by CGI scripts, PHP scripts, server services, etc.
     
  9. markhard

    markhard Well-Known Member

    Joined:
    Apr 22, 2004
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    so it is impossible then, to protect our server from users installing IRC bot, psyBNC, etc? :confused:
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, users can install anything into their own web space. /tmp/ protection is about making it harder for hackers who use vulnerabilities in your users CGI/PHP scripts to upload files to your /tmp/ directory.

    Your best defence is a correctly configured hardware or software (iptables) firewall that blocks unused in and out going ports.

    cPanel does have limited ability to get rid of some of those things WHM > System Health > Background Process Killer

    You should also enable fork bomb protection under WHM > Shell Fork Bomb Protection

    The rest is about knowing your server and checking it with security apps and sys admin tools.
     
  11. WhatsYourDomain

    Joined:
    Mar 14, 2006
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    what about vps

    I get:

    # /scripts/securetmp
    Would you like to secure /tmp & /var/tmp at boot time? (y/n) y
    Would you like to secure /tmp & /var/tmp now? (y/n) y
    Securing /tmp & /var/tmp
    The system does not support loop devices.

    filesystems:

    # df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/simfs 245G 2.7G 242G 2% /

    How can I mount /tmp as a partition? Or is that not needed.
     
  12. WhatsYourDomain

    Joined:
    Mar 14, 2006
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    this worked for me.

    mount -o bind,nosuid,noexec,nodev,rw /var/tmp /tmp

    /scripts/securetmp
     
Loading...

Share This Page