Secure TMP and TMPFS on CentOS 6

  • Last Created On Dec 10, 2024
  • 6
0 0

Temporary directories such as /tmp/var/tmp, and /dev/shm offer a platform for hackers to run scripts and programs. These malicious executables are used to abuse or compromise your server. Ideally the /tmp directory should be mounted on its own partition with limited permissions.

This guide is for AKLWEB Host users whose server configuration does not include a mounted /tmp directory on its own partition, which leaves these directories insecure and vulnerable. Implementing this guide will make it extremely difficult for hackers to use these directories.

Note: Default CentOS installations do not mount the /tmp directory on its own partition.

Change to the home directory.

 cd /home

Make a file in the home directory with any name. Here we are using ‘mntTmp’ and creating a 2GB file. You can adjust this to suit your needs.

 dd if=/dev/zero of=mntTmp bs=1024 count=2000000

Make an extended filesystem for this file.

 mkfs.ext4  /home/mntTmp

Back up your current /tmp directory.

 cp -Rpf /tmp /tmp_backup1

Return to the base directory.

 cd /

Create the /tmp mounting option to run at boot by using a text editor.

 nano /etc/fstab

Add the following to the bottom of the fstab file on a separate line. Then press enter to ensure there is an empty line beneath it (the empty line is important to avoid running into problems when rebooting).

 /home/mntTmp   /tmp    ext4    loop,nosuid,noexec,nodev,rw 0 0

Note: This mount may need to be temporarily removed when you compile or install software

Keep the file open as another line is going to be changed.

CentOS uses a temporary filesytem (tmpfs) in virtual memory called “shm”. It appears mounted despite the fact that it is not a physical file system. We can apply permissions to secure shm. Look for the line in the fstab file with tmpfs and /shm. Replace 'defaults' with 'defaults,nosuid,noexec,nodev'. Save the file.

You can now mount the /tmp file system.

 mount -o loop,nosuid,noexec,nodev /home/mntTmp /tmp

Set read, write, execute permissions.

 chmod 777 /tmp

Check for any mounting errors with the new boot settings.

 mount -o remount /tmp

Move the /tmp backup which you created back to the mounted /tmp file system.

 mv /tmp_backup1/* /tmp/

Remove the backup that you created.

 rm -Rf /tmp_backup1

Backup up /var/tmp.

 cp -Rpf var/tmp /tmp_backup2

Remove the /var/tmp directory.

 rm -Rf /var/tmp

Create a symbolic link from /var/tmp to /tmp.

 ln -s /tmp /var/tmp

Copy the /var/tmp backup to /tmp.

 mv /tmp_backup2/* /tmp/

Remove the backup.

 rm -Rf /tmp_backup2

Optional

Depending on the specific software you are using, you may have a “tmp” directory in the home directory. You can remove this directory and create a symbolic link to /tmp. Care should exercised when doing this as it may break the software, particularly web hosting software.

 rm -Rf /home/tmp
 ln -s /tmp /home/tmp
Views: 6

Recent Articles

  • How to Install JAX with ROCm Acceleratio...
    96
  • Deploy a PyTorch Workspace on a Vultr Cl...
    71
  • Managing Backup Storage
    82
  • Automating FTP Backups in Windows Server
    71
  • Automating FTP Backups in Linux
    75

Popular Articles

  • Our General Terms & Conditions
    2631
  • Our Privacy Policy
    2477
  • Our Cookies Policy
    275
  • Our Terms of Use
    152
  • How to Install JAX with ROCm Acceleratio...
    96