WebhostGear.com - the hosting resource for professionalshosting tutorials hosting howto webhost guide server management
 

Securing Your /tmp Partition with Cpanel/WHM




ramprage

Steve Leggett is the owner of WebHostGear.com and Wave Point Media Inc. He use to run and own his own web hosting company, Tower Host, which was recently sold. Steve now specializes in server administration and web development.

Securing Your /tmp Partition with Cpanel/WHM

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

code:
cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

code:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000

Make an extended filesystem for our tmpMnt file

code:
/sbin/mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

code:
cd /

code:
cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

code:
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

code:
chmod 1777 /tmp

Copy everything back to new /tmp and remove backup

code:
cp -R /tmp_backup/* /tmp/

code:
rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

code:
pico -w /etc/fstab

You should see something like this:
code:
/dev/hda3               /                       ext3    defaults,usrquota        1 1
/dev/hda1               /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   defaults        0 0
/dev/hda2               swap                    swap    defaults        0 0

At the bottom add
code:
/dev/tmpMnt             /tmp                    ext2    loop,noexec,nosuid,rw  0 0

(Each space is a tab)
Save it!
Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

code:
bash: ./a.out: Permission denied

Yay! /tmp no longer has execute permissions :-D

New! - Need server help? Hire an Expert

Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new.

By : ramprage Rating : Average Rating : 9.08 From 65 Voter(s) Views: 45547 Date: November 6, 2003

Return to WebHostGear.com