Securing Your /tmp Partition with Cpanel/WHM

Securing Your /tmp Partition with Cpanel/WHM

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

code:
cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

code:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000

Make an extended filesystem for our tmpMnt file

code:
/sbin/mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

Article provided by WebHostGear.com

code:
cd /

code:
cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

code:
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

code:
chmod 1777 /tmp

Copy everything back to new /tmp and remove backup

code:
cp -R /tmp_backup/* /tmp/

code:
rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

code:
pico -w /etc/fstab

You should see something like this:
code:
/dev/hda3               /                       ext3    defaults,usrquota        1 1
/dev/hda1               /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts gid=5,mode=620 0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   defaults        0 0
/dev/hda2               swap                    swap    defaults        0 0

At the bottom add
code:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)
Save it!
Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

code:
bash: ./a.out: Permission denied

Yay! /tmp no longer has execute permissions :-D

New! - Need server help? Hire an Expert

Sources

Discuss this article with others in our new hosting forums

Comments / Feedback

GIGI
look this
------------
root@localhost [~]# sh ./Install_DigiChat.bin -i console
Preparing to install...
tail: `-1' option is obsolete; use `-n 1'
Try `tail --help' for more information.
./Install_DigiChat.bin: line 329: [: `)' expected, found -z
WARNING! The amount of /tmp disk space required and/or available
could not be determined. The installation will be attempted anyway.
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...

Launching installer...

./Install_DigiChat.bin: /tmp/install.dir.3158/Linux/resource/jre/bin/java: /bin/sh: bad interpreter: Permission denied
-------
pliz help me....

kel
How to increase the /tmp space? I got this error: Warning: Unknown(): write failed: No space left on device (28) in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Please help as soon. thanks

mazen
I make the step by step when I type mount command I get this message root@server [/]# mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp mount: Could not find any loop device, and, according to /proc/devices, this kernel does not know about the loop device. (If so, then recompile or `insmod loop.o'.)

cruz
3 things. Does this break cpanel in its normal use and in updates? If I want to revert back to the way it was before doing this modification, how is it done? Do I have to reboot the server once this I implement the changes?

Rona
Can anybody tell me now how to unsecure /tmp because when i install DigiChat it's give me this error root@server [/home]# sh ./Install_DigiChat.bin -i console /home Preparing to install... Extracting the JRE from the installer archive... Unpacking the JRE... Extracting the installation resources from the installer archive... Configuring the installer for this system's environment... Launching installer... ./Install_DigiChat.bin: /tmp/install.dir.9155/Linux/resource/jre/bin/java: /bin/sh: bad interpreter: Permission denied Hope to get help ... :) Regards

Michael Curtis
Instructions worked perfect for me other than that one warning about a block device. One tip, any path which exists and is owned by 'nobody'... create the directory under /tmp and make a symlink... this can be used to make any path noexec, anywhere on the server... just make sure /tmp has enough space ;)

Mateus
Hi, thanks for this tuto..
But, i already have this partition
LABEL=/tmp /tmp ext3 defaults 1 2

my server is in theplanet and is the default mount for them.. how can i modify this ? thank you!

netkinetics
Change defaults to say noexec,nosuid if you already have a seperate /tmp partition.

Then umount / mount it again.

Also do the same with the /dev/shm mount.

Don't forget to secure /usr/local/apache/proxy, its 777 and owned by nobdoy after every apache build on cpanel servers. Change it to 0400 and owned by root.root , or safely remove it. If you use mod_proxy you should setup another loop device like in this tutorial and mount it to /usr/local/apache/proxy to run your proxy safely.

M.S.
Would you whiners stop bitching and pick up a manual? This guy was kind enough to offer you a solution. So STFU. As for the perl/php errors, just edit your php.ini and make sure safe mode is on, sql safe mode is on, and make sure that url_fopen and file uploads are off. you'll be good to go.

Vijay
Hi,

/scripts/securetmp
Would you like to secure /tmp & /var/tmp at boot time? (y/n) y
Would you like to secure /tmp & /var/tmp now? (y/n) y
Securing /tmp & /var/tmp
/tmp is already secure
/var/tmp is already secure
Process Complete.

But fstab does not show noexec,
# cat /etc/fstab
# This file is edited by fstab-sync - see 'man fstab-sync' for details
LABEL=/tmp /tmp ext3 defaults 1 2

I request others to verify whether following method is correct for CPanel 10.8. ?

1) Because cpanel installed with /tmp saperate partition. - we do not need to change/recreate partition & copy.
2) modify /etc/fstab to following.
LABEL=/tmp /tmp ext3 loop,noexec,nosuid,rw 0 0
3) reboot server.

Rick
I just wanted to say thanks for this tutorial! My /tmp partition was created too small, and my /home partition is huge, so I used your tutorial to mount a new tmp partition inside my /home directory. Worked like a charm, thanks a bunch! :)

guy
so does this just create another tmp folder in /dev rather than /var/tmpDSK or something? how does everything forward to this folder rather than the old just /tmp? I don't quite understand, thanks.

Securing Your /tmp Partition with Cpanel/WHM

New! - Need server help? Hire an Expert

Sources

Related Articles