Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is good practice making /tmp /var/tmp noexec on cpanel server?

Discussion in 'General Discussion' started by postcd, Sep 6, 2017.

Tags:
  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    662
    Likes Received:
    11
    Trophy Points:
    68
    Hello,

    i read a few topics on how to make /tmp and /var/tmp and /dev/shm a "noexec" mount point.

    SOLVED - secure /tmp directory
    CentOS OpenVZ – how to secure tmp directory
    Mount /tmp with noexec,nosuid options on Openvz
    OpenVZ Forum: Users » How do I mount /tmp on VEs with noexec,nosuid options?

    Currently i have this on my cPanel OpenVZ VPS & CentOS6:
    # df -h|grep -v virtf
    Code:
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/simfs      342G  105G  238G  31% /
    none            9.0G  4.0K  9.0G   1% /dev
    none            9.0G  4.0K  9.0G   1% /dev/shm
    tmpfs           9.0G  1.8M  9.0G   1% /tmp
    tmpfs           9.0G  4.0K  9.0G   1% /var/tmp
    # mount|grep -v virtfs
    Code:
    /dev/simfs on / type simfs (rw,relatime,usrquota,grpquota)
    proc on /proc type proc (rw,relatime)
    sysfs on /sys type sysfs (rw,relatime)
    none on /dev type devtmpfs (rw,relatime,mode=755)
    none on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
    none on /dev/shm type tmpfs (rw,nosuid,noexec,relatime)
    none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
    tmpfs on /tmp type tmpfs (rw,nosuid,noexec,relatime)
    tmpfs on /var/tmp type tmpfs (rw,nosuid,noexec,relatime)
    # free -mht
    Code:
                 total       used       free     shared    buffers     cached
    Mem:           18G       8.4G       9.6G       1.7M         0B       5.7G
    -/+ buffers/cache:       2.7G        15G
    Swap:         2.0G        13M       2.0G
    Total:         20G       8.4G        11G
    But it does not look good (all three has 9GB virtual size in RAM - tmpfs). Would be better to have it in HDD instead and have some different size? which size you recommend roughly in my case please?

    In mentioned post (SOLVED - secure /tmp directory) is an advice to symlink /var/tmp -> /tmp . Is it wise to do so?

    PS: before mount or remount i assume stopping cpanel,httpd,mysql services, then rsync all tmp folders, doing mount or remount, rsyanc back files and then starting services

    Thank You
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,445
    Likes Received:
    56
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi.

    From what I can see that your server is a openvz VPS container, so you will not be having separate partition and the current tmp that is mounted on your machine is already a block file that is created on your machine i.e., hard disk itself. I see no issue keeping it this way and continuing. What exact issue are you facing with this?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Your current configuration is one of the more common configurations for the /tmp partition in the cPanel environment. I don't recommend making any changes, however you will likely find more user-feedback on tmpfs performance or reliability at a website such as StackOverflow:

    StackOverFlow - tmpfs search results

    Thank you.
     
    postcd likes this.
  4. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    662
    Likes Received:
    11
    Trophy Points:
    68
    Thx for the feedback! So from Michael's post, i will assume my setup is OK/optimal, until someone explain it is otherwise.
    BTW: If someone found this topic wanting to apply noexec tmp setup as mine, here are steps i did.
     
Loading...

Share This Page