Problems securing /tmp

[zEitEr]

As what I've been reading about this on the net, it's not possible with "loop" when that is missing or when your /etc/fstab is rewritten after every reboot or the remount command is not allowed.

For what virtualization? With OpenVZ I've got the following:

[root@server /]# cat /etc/fstab
none    /dev/pts        devpts  rw      0       0
none    /tmp            tmpfs   rw,nodev,nosuid,noexec 0 0
[root@server /]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/simfs             20G   13G  7.2G  65% /
none                  1.0G  4.0K  1.0G   1% /dev
none                  1.0G     0  1.0G   0% /tmp
[root@server /]#

And the partition /tmp re-mounts on every VPS restart.

Modifying /etc/fstab, as far as I know, might not work on XEN and KVM. Recently I had an issue with that, I had to use /etc/rc.d/rc.local to mount a custom partition.

 

[Richard G]

The other one was Virtuozzo but probably loop was not activated on the node or something I guess. I don't know a lot about creating a vps system.

The one at this moment is indeed a XEN VPS.

Still it doesnt matter, if the loop device is not present or remount is not allowed one can't issue this command:

mount -o loop,noexec,nosuid,rw /var/Tmp /tmp

What's the command you're using in your rc.local to remount the /tmp every time? It might be helpfull for others in the feature.

 

[zEitEr]

Here is it (in cat /etc/rc.d/rc.local):

mount /filesystems/tmp_fs /tmp -o,noexec,nosuid,loop
chmod 1777 /tmp

on KVM powered VPS.

 

[Richard G]

Thank you, I sure will try that if we get VPS again and it won't work.
I hope Nostrome can fix it this way.