It is recommended to create /tmp as separate partition and mount it with the noexec and nosuid options.
* The noexec option disables the executable file attribute within an entire file system, effectively preventing any files within that file system from being executed.
* The nosuid option disables the SUID file-attribute within an entire file system. This prevents SUID attacks on, say, the /tmp file system.
To secure the /tmp partition of your server:
1. If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add the noexec and nosuid options for /tmp. Then remount the partition:
- Code: Select all
# cat /etc/fstab
# <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/sda6 /tmp ext2 rw,noexec,nosuid,nodev 1 2
# mount -o remount /tmp
* If the /tmp directory resides on the '/' partition:
1. Create a new partition for /tmp, for example with size 512 MB:
- Code: Select all
# mkdir /filesystems
# dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M
# mkfs.ext3 /filesystems/tmp_fs
2. Add the string into /etc/fstab:
- Code: Select all
/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1
3. Move current /tmp directory content to another location.
4. Mount new /tmpp partition:
- Code: Select all
# mount /tmp
5. Move content from old /tmp directory to the new one.
