Securing the /tmp Partition

Here you can find tutorials and notes for server-side maintenance/configuration

Securing the /tmp Partition

Postby lik » Mon May 18, 2009 7:43 am

Securing the /tmp Partition

It is recommended to create /tmp as separate partition and mount it with the noexec and nosuid options.

* The noexec option disables the executable file attribute within an entire file system, effectively preventing any files within that file system from being executed.
* The nosuid option disables the SUID file-attribute within an entire file system. This prevents SUID attacks on, say, the /tmp file system.

To secure the /tmp partition of your server:

1. If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add the noexec and nosuid options for /tmp. Then remount the partition:
Code: Select all
# cat /etc/fstab

# <fs>        <mountpoint>  <type>          <opts>                    <dump/pass>
/dev/sda6          /tmp          ext2    rw,noexec,nosuid,nodev           1 2

# mount -o remount /tmp


* If the /tmp directory resides on the '/' partition:
1. Create a new partition for /tmp, for example with size 512 MB:
Code: Select all
# mkdir /filesystems
# dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M
# mkfs.ext3 /filesystems/tmp_fs

2. Add the string into /etc/fstab:
Code: Select all
/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1

3. Move current /tmp directory content to another location.
4. Mount new /tmpp partition:
Code: Select all
# mount /tmp

5. Move content from old /tmp directory to the new one.
lik
Founder
Founder
 
Posts: 497
Joined: Wed Dec 15, 2010 3:21 am

Return to Server Side Actions

 


  • Related topics
    Replies
    Views
    Last post
cron