/tmp & /var/tmp noexec hardening without reboot
After discovering scripts running in my /tmp folder (in CentOS 5.x) I had to harden the directory.
The faster way to harden your /tmp and /var/tmp without rebooting is the following:
In your /dev directory create an empty 2,5 GB file (best for web hosting servers with many websites).
# cd /dev
# dd if=/dev/zero of=tmppart bs=1024 count=2500000
We will now create an ext3 filesystem for in our tmppart file.
If it asks you if you want to proceed, since the destination
is not a block device, say yes (y).
# /sbin/mkfs.ext3 /dev/tmppart
Backup your /tmp directory since you may have files in there that is needed by certain programs. Some programs may use it to store cache files or other temporary information.
# cd /
# cp -R /tmp /tmp_backup
Now, mount the new /tmp filesystem with noexec, nosuid and rw options, and set the correct permissions on the new partition:
# mount -o loop,noexec,nosuid,rw /dev/tmppart /tmp
# chmod 1777 /tmp
Restore the old /tmp data and remove backup directory:
# cp -R /tmp_backup/* /tmp/
# rm -rf /tmp_backup
We now need to add this to /etc/fstab so it mounts automatically on reboots. Add the following line to your /etc/fstab file.
# /dev/tmppart /tmp ext3 loop,noexec,nosuid,rw 0 0
You are done! /tmp is now mounted as noexec, nosuid and rw.
Don’t forget to link /var/tmp which is also used for attackes:
#ln -s /tmp /var/tmp
and don’t forget to use the right perms or some website will face problem with photo uploading etc
# chmod 777 /tmp
then restart your services (apache, mysql, etc)
Now to test if its working create a dummy script:
# echo echo hell > test.sh
and execute it:
# ./test.sh
if the outcome is:
bash: ./test.sh: Permission denied
then everything works fine.
Advertisment