The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/tmp Security

Discussion in 'Security' started by xphost, May 28, 2004.

  1. xphost

    xphost Well-Known Member

    Joined:
    Nov 12, 2003
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    What better

    1) /scripts/securetmp

    or

    2)

    ====================================

    a) cd /dev

    b) Create a 200mb file in /dev
    dd if=/dev/zero of=tmpMnt bs=1024 count=200000

    c) Make an extended filesystem for our tmpMnt file
    mke2fs /dev/tmpMnt (hit y when prompted)

    d) Backup your /tmp dir
    cd /
    cp -R /tmp /tmp_backup

    e) Mount the new /tmp filesystem with noexec.
    mount -o loop,nosuid,noexec,rw /dev/tmpMnt /tmp
    chmod 1777 /tmp

    f) Copy everything back to new /tmp verify and remove backup
    cp -R /tmp_backup/* /tmp/
    cd /tmp
    ls -la (verify the files are there)
    rm -rf /tmp_backup

    g) Add to fstab so it mounts automatically on reboots.
    pico -w /etc/fstab

    You will see something like this:

    LABEL=/ / ext3 defaults 1 1
    none /dev/pts devpts gid=5,mode=620 0 0
    LABEL=/home /home ext3 defaults 1 2
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    LABEL=/usr /usr ext3 defaults 1 2
    LABEL=/var /var ext3 defaults 1 2
    /dev/hda6 swap swap defaults 0 0


    At the bottom add:
    /dev/tmpMnt /tmp ext2 loop,nosuid,noexec,rw 0 0 (on one line)

    (Each space is a tab)

    Ctrl + X and Y to exit and save.

    Your done- /tmp is now mounted as noexec.

    then

    cd /var
    rm /tmp
    ln -s /tmp /var/tmp
    ====================================



    or anything else?
     
  2. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    easiest is /scripts/securetmp and as far as i could see.. is good too.
     
  3. kofi

    kofi Well-Known Member
    PartnerNOC

    Joined:
    Feb 3, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    For those who are interested:

    If you are having problems with the size of the /tmp partition, then do the following.

    cp -Rf /tmp /tmp_backup
    umount -l /var/tmpMnt
    rm -rf /var/tmpMnt

    find this line in /scripts/securetmp:

    dd if=/dev/zero of=tmpMnt bs=1024 count=200000

    change the count=(the size you wish in bytes)

    save the file

    run /scripts/securetmp
    cp /tmp_backup/* /tmp/

    This should work, we had many problems with having the 200MB /tmp partition, especially when users were making backups, or accounts were being transfered to another server, make it 2GB to be on the safe side.

    Regards,
    Aaron
     
  4. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    just be careful about the link of mysql.sock at /tmp.

    else you might end up showing a "phpbb critical" at times.

    or.. is it done by the securetmp script too ?
     
  5. kofi

    kofi Well-Known Member
    PartnerNOC

    Joined:
    Feb 3, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    /scripts/securetmp does this for you.

    if you take a look at the sequence i was giving, i backed up the /tmp dir first, that way you will not remove the mysql socket file.
     
  6. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    nope... the script dosen't .. i just checked it.. but ur cp does help :)
     
  7. kofi

    kofi Well-Known Member
    PartnerNOC

    Joined:
    Feb 3, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Sorry, my mistake, I thought it did...
     
  8. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    before I do this? is there anything else I should take into consideration?

    obviously you guys copy the tmp directory and then place the files in tmp back into the new tmp? and you make it like 2gb .... as a new server administrator could someone type out the steps 1 by 1 for me... I dont want to fudge this up..

    Thanks
     
  9. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    what kofi said was step by step description. there is nothing more to explain and i guess he was pretty clear too :)
     
  10. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Excellent Thread. Thanks.

    Just FYI and more fodder for thought.
    This is what we do as a general rule when building a new server setup:

    1. make sure /tmp partition is set at least 1gb space
    2. make sure the directories have the following:
    none on /dev/shm type tmpfs (rw,noexec,nosuid)
    /dev/sda3 on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)

    3. remove /var/tmp completely, then symlink it to /tmp


    Any other recommendations on improving this general method would be great to hear as well.


    Best Wishes,
    Jim Walker
    TVCNet.com
     
  11. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    can you explain that all?

    I dont know how to do any of that.. still new..

    I dont know how to remove suid from a directory etc...

    or how to set /tmp to 1gb.. ?

    can you please explain how to do all of this.
     
Loading...

Share This Page