DA and Securing tmp, ...

"mount -o loop" requires /dev/loop* devices that are provided by the "loop" linux kernel module. Just run "modprobe loop" and write "loop" in /etc/modules to load it automatically at boot.
All that is also easily found by searching "mount: could not find any device /dev/loop" in Google. Learn to search before asking :)
 
I don't have a "/etc/modules" file or directory or anything close.
 
Easy instructions.

http://www.webhostgear.com/34.html

Code: 
cd /dev
dd if=/dev/zero of=tmpMnt bs=1024 count=1000000
/sbin/mke2fs /dev/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp
/tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/dev/tmpMnt     /tmp     ext2     loop,noexec,nosuid,rw     0 0" >> /etc/fstab
rm -rf /var/tmp
ln -s /tmp /var/tmp
 
Last edited:
I found that /dev/tmpMnt does not survive a reboot so I changed it a bit. I put tmpMnt in /mnt.

Code: 
dd if=/dev/zero of=/mnt/tmpMnt bs=1024 count=1000000
/sbin/mke2fs /mnt/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /mnt/tmpMnt /tmp
chmod 1777 /tmp
/tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/mnt/tmpMnt     /tmp     ext2     loop,noexec,nosuid,rw     0 0" >> /etc/fstab
rm -rf /var/tmp
ln -s /tmp /var/tmp
 
There is also a missing "cp" in there.
/mnt should be reserved to mount points, not images. /var is where databases and images should reside.
/home/tmp is created by DA and should follow the same fate as /var/tmp, and both content should be also copied into /tmp.
Then it's better to empty /tmp before mounting, to avoid wasting space.
And "nodev" should also be set as mount option.
And when copying back the data, hidden files must be copied too.
And since sockets, pipes and open files don't follow "cp", a reboot or at least a restart of all services may be necessary.

Result:
Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=1000000
/sbin/mke2fs /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext2   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /var/tmp
Don't remember the reboot or restart of services (at least MySQL, for /tmp/mysql.sock).
 
tillo I knew you had it in you to write this stuff down for us instead of just hinting at it.
 
You were right :) sometimes I forget how many wrong tutorials are out there... it's just that sometimes I don't have the time.
 
Here is a nice little side effect of securing /tmp. NOT!

Code: 
[root@server /]# pecl install zip
downloading zip-1.8.10.tgz ...
Starting to download zip-1.8.10.tgz (66,972 bytes)
.................done: 66,972 bytes
58 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
/usr/local/bin/phpize: /tmp/pear/cache/zip-1.8.10/build/shtool: /bin/sh: bad interpreter: Permission denied
Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF
environment variable is set correctly and then rerun this script.

ERROR: `phpize' failed

Still seems to me securing /tmp is more trouble than its worth.
 
Yes, there are a few problems, for example when Debian packages maintainers configure their packages to place an executable script in /tmp and run it. Which is a very bad habit.

Modifying the temporary folder to something else (like /temp) solves the problem (for example "TMP=/temp apt-get install package" or "pecl -D temp_dir=/temp/pear/temp install package"). Just remember to create the directory before and erase it afterwards ;)

Security ALWAYS comes with a price.
 
the .??* gives a no such file or directory??

and the last rule is double i guess

ln -s /tmp /var/tmp

or should it be

ln -s /tmp /home/tmp
 
So you are talking about it is not safe to mount if the server is running with users ?
 
If you do it the correct way, there is no problem doing this while the server is running with users. Except on a vps maybe.
But it's always advisable to do these kind of changes at night times or early morning times when as less users as possible are online. Just to be on the safe side.
 
Does the OS also cleanup this "self created" tmp dir when it almost reach the size off the mounted FS?
 
You must log in or register to reply here.
Back
Top