Secure /tmp and /var/tmp and /dev/shm in Centos 7

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
I always use a method to secure my /tmp folder, the /var/tmp (removed and symlinked to /tmp) and the /dev/shm.

Like this:
Code:
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
/sbin/mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

and after that:
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
and do mount -o remount /dev/shm

But I now have the first server with Centos 7 which uses a completely different way.
Seems I have to put things in a /etc/systemd/system file which I completely don't understand yet, even not from the docs. Centos 6 was way easier.
In the way described above, for example I can't remove the /var/tmp directory because the device our resources is busy and in df -h the /tmp is not mounted like in Centos 6, in Centos 7 it looks like a /dev/loop or something like that.

Anyway, can somebody tell me (prefereble by the use this, change that method or by changing my method above), how it's done in Centos 7 now? Also for /dev/shm?
 
Try to check with this

vi /etc/fstab
tmpfs /dev/shm tmpfs defaults 0 0 >>>> tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
mount -o remount /dev/shm

and


mount -o loop,noexec,nosuid,rw /dev/tempNEW /tmp
chmod 1777 /tmp
cp -Rp /tmp_backup/* /tmp/
vi /etc/fstab
/dev/tempAH /tmp ext4 loop,nosuid,noexec,rw 0 0
 
Thank you for your answer.
But in fact you're using the same methode as I used until now which worked also with Centos 6. Except for the fact that you made a file called tempNEW in /dev and I created a tmpMnt in /var.
So it's just other names.

The /dev/shm method is also the same.

It has to be done in Centos 7 another way, or, when Centos 7 automatically converts this to it's new system (I thought I read something about that), the /var/tmp still needs securing.
 
[cut]
In the way described above, for example I can't remove the /var/tmp directory because the device our resources is busy and in df -h the /tmp is not mounted like in Centos 6, in Centos 7 it looks like a /dev/loop or something like that.

If you have already installed DirectAdmin, I am almost 100% sure that the problem with device our resources is busy on /var/tmp is because of Dovecot processes. If so it is a tricky one. If I remember correctly, I needed to completely shut down both dovecot and directadmin in order to close the dovecot processes (wich was hard to find also). When you have shutdown both dovecot and directadmin and closed all related processes, you should be able to remove /var/tmp
 
Thank you Ditto.
I tried to find which process was blocking it. But you could very well be right. Normallly securing /tmp and /dev/shm is the first thing I do, before installing Directadmin, which can be the reason I did not have this problem before. This time I installed DA first.

Unfortunately I can't succeed. I even created a script so it would stop faster like this:
Code:
#! /bin/bash
service directadmin stop
service named stop
service popb4smtp stop
service exim stop
service freshclam stop
service clamd stop
service pure-ftpd stop
service mysql stop
service httpd stop
service dovecot stop
rm -rf /var/tmp

But no effect:
Code:
Redirecting to /bin/systemctl stop directadmin.service
Redirecting to /bin/systemctl stop named.service
Redirecting to /bin/systemctl stop popb4smtp.service
Failed to stop popb4smtp.service: Unit popb4smtp.service not loaded.
Redirecting to /bin/systemctl stop exim.service
Redirecting to /bin/systemctl stop freshclam.service
Redirecting to /bin/systemctl stop clamd.service
Redirecting to /bin/systemctl stop pure-ftpd.service
Redirecting to /bin/systemctl stop mysql.service
Failed to stop mysql.service: Unit mysql.service not loaded.
Redirecting to /bin/systemctl stop httpd.service
Redirecting to /bin/systemctl stop dovecot.service
rm: cannot remove ‘/var/tmp’: Device or resource busy
 
Found it thanks to you ditto.

I checked system and found a mariadb service which was running.
So once I added the "service mariadb stop" to my script, the /var/tmp was gone.

Thank you for putting me on the right direction!

Only on df -h the /tmp looks like:
/dev/loop0 4.6G 20M 4.3G 1% /tmp

While on Centos 6 it looks like:
/var/tmpMnt 4.6G 27M 4.4G 1% /tmp

Is that something to worry about that it's not /var/tmpMnt but /dev/loop0 or doesn't that matter?
 
Last edited:
I am not sure, but I don't think it is something you need to worry about. I think I did almost the same as you when setting up /tmp on my CentOS 7 servers, and I also don't get /var/tmpMnt when looking at df -h - I still think it is good to try to secure /tmp on CentOS 7, but like you I was not able to do all steps I did on CentOS 6, because not all things was the same way on CentOS 7. By the way here is output from one of my CentOS 7 servers:

Code:
[root@server ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda2       148G   17G  124G  12% /
devtmpfs         63G     0   63G   0% /dev
tmpfs            63G  4.0K   63G   1% /dev/shm
tmpfs            63G  1.7G   62G   3% /run
tmpfs            63G     0   63G   0% /sys/fs/cgroup
/dev/sda3       7.3G   42M  6.8G   1% /tmp
/dev/sda1       477M  129M  319M  29% /boot
/dev/sda6       1.6T  438G  1.1T  29% /home
tmpfs            13G     0   13G   0% /run/user/0
[root@server ~]#
 
Oke thank you for that output.
Might be different because I'm using software raid.

I read that normally this should be setup in /etc/systemd/system but I totally don't understand that yet. :)
Things made in /etc/fstab get converted to something alike and arrives in /run/systemd/generator/ for the life of the running environment.
You can copy them from there to /etc/systemd/system and remove them from the generator directory. It says "making any necessary adjustments" to the file.
As I don't understand that system yet, I just keep it like it is now. :)

I've found that info here:
https://www.thegeekdiary.com/centos-rhel-7-how-to-follow-the-mount-order-in-etcfstab/
 
I am using CentOS 7 default paths for /tmp, and I feel good about that. Some files sometimes is stored directly in /tmp, but that only happen rarely with a few files. Most files is at /tmp//tmp/systemd-private-.... organized in a directory for each service, for example I get a path like this for PHP-FPM files from all users on the server:

/tmp/systemd-private-a4e2f7a220b6483d8a4c131b2f0115b5-php-fpm71.service-XjCpWG/tmp

Edit: Yes, I am using hardware raid on the server I posted output from.
 
I am using CentOS 7 default paths for /tmp, and I feel good about that. Some files sometimes is stored directly in /tmp, but that only happen rarely with a few files. Most files is at /tmp//tmp/systemd-private-.... organized in a directory for each service, for example I get a path like this for PHP-FPM files from all users on the server:

/tmp/systemd-private-a4e2f7a220b6483d8a4c131b2f0115b5-php-fpm71.service-XjCpWG/tmp

Edit: Yes, I am using hardware raid on the server I posted output from.

Just want to add that in /tmp/systemd-private-a4e2f7a220b6483d8a4c131b2f0115b5-php-fpm71.service-XjCpWG/tmp it is mostly session files from users, and I have php_home_tmp_session_save_path=0 in directadmin.conf, so they are not stored in each users directory. But if you don't have that in directadmin.conf, the default is to store the session files in users own directory. It happen in previous version, here is the changelog entry: https://directadmin.com/features.php?id=2131
 
Thank you for pointing that out, i will change this. I did symlink /home/tmp to /tmp but I will change this in directadmin.conf anyway.
 
Back
Top