/scripts/securetmp

asishlla

asishlla

Verified User
Joined
Jul 24, 2009
Messages
235
My question is divided into two
The first part of how I do tmp directory protection?
The second part: Are there places where there are temporary files should be cleaned from time to time?
Please it is important to me
Thank you
 
This is what I use:

SECURE /TMP AND OTHERS - http://www.eth0.us/tmp said:
########################### SECURE /TMP AND STUFF #######################

The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
-----command-----
df -h |grep tmp
-----command-----


If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1005000
-----command-----

Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y


Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----

Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----

Set the permissions
-----command-----
chmod 1777 /tmp
-----command-----

Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in pico:
-----command-----
vi /etc/fstab
-----command-----
Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----

Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp /var/tmp
-----command-----

If everything still works fine you can go ahead and delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----


Your /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.


Since MySql uses the /tmp it'll need a restart:
-----command-----
service mysqld restart
-----command-----


######################### SECURE /TMP AND STUFF END #####################
Click to expand...
 
Hi Duboux's ,
Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp /var/tmp
-----command-----

If everything still works fine you can go ahead and delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----

all file that i will delete is not important files,,that is right?
thank you
 
The files u'll delete will be the original files you had on ur old /var/tmp
They were copied onto your new /tmp.
So if that went well, it should be safe to delete those, since they won't be addressed anymore anyway.

ps, soz for the late reply.
 
ive a little question about this procedure...

what about if all the disk space is allocated? Will automatic cut 800mb from where?
 
will these steps work on freebsd? is there a risk of crashing your server if trying this?
 
Does your FreeBSD have a vi editor, and does it support ext2 and loop devices? You need to update the list of commands for FreeBSD before you can use it.

And if you compile kernel from sources with these options noexec,nosuid on /tmp, you will probably run into problems (at least in my experience that was an issue).
 
You must log in or register to reply here.
Back
Top