Secure /tmp /home

N

nango

Verified User
Joined
May 13, 2006
Messages
92
Hi

I installed fresh DA on new (CentOS 6.4- 64 bit) server and want to secure before add any web site.
In DA basic security recommendation there is a part about mount the /home partition with the nosuid .
I installed DA on new disk that have just / and swap + another HDD mounted as /backup and other directories made with DA, should I remount /home with nosuid?
this is my fstab:
Code: 
# /etc/fstab
# Created by anaconda on Tue Jun 10 19:36:16 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=af2c6482-2944-430c-bd72-7f6b3fd71a29                       /                       ext3    defaults,usrquota,grpquota      1 1
UUID=716cff89-c506-4c7f-89f6-eac7a7fbef9f /backup                 ext3    defaults        1 2
UUID=74f7dae2-9b6b-4c8f-9274-d3353eff7db1 swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
 
Last edited:
nosuid is pointless you cant just chown files to someone else. Some people are just paranoid.
 
should I remount /home with nosuid?
Click to expand...
No you can just create a /tmp (and /home/tmp) with noosuid like this:
Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
/sbin/mkfs.ext4 -j /var/tmpMnt
You will get a notice about tune2fs or something after this.
As you can see I created a /tmp of 5 GB. Adjust to your need, but remember that some DA backup stuff will be done in there. Made to small you can have a problem or you can point to another directory for backups in directadmin.conf.

Code: 
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

Some commands may say it doesn't exist but that will probably be that the directory like /home/tmp not exist yet or no files are present.
Next to that you might have to fix logrotate:

Code: 
vi /etc/cron.daily/logrotate
add this line:
Code: 
export TMPDIR=/var/spool/logrotate/tmp

And ofcouse create the directory for it.
Code: 
mkdir -p /var/spool/logrotate/tmp

P.s. for more security... install mod_ruid2 too and csf/lfd firewall.
 
Last edited:
You must log in or register to reply here.
Back
Top