Securing /dev/shm with raid?

[Richard G]

I followed the guide from DA to secure /tmp (and /var/tmp etc.) and that went well.

Now I normally also secure /dev/shm with this guide:

Edit your /etc/fstab:
# nano /etc/fstab

change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

Remount /dev/shm:
# mount -o remount /dev/shm

However, with our new server we don't have a /dev/shm entry in fstab. So I don't know what to do. This is our current fstab:

proc /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/md0 none swap sw 0 0
/dev/md1 /boot ext3 defaults 0 0
/dev/md2 / ext3 defaults,usrquota,grpquota 0 0
/var/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0

Can anybody make an easy explanation (like a step by step guide) how I can secure /dev/shm?
Because I guess that only making the entry as in the guide into the /etc/fstab and rebooting the server won't do the trick.

 

[scsi]

Who told you you need to secure it?

 

[SeLLeRoNe]

prolly csf firewall

 

[Richard G]

Isn't it needed anymore these days then? I had hackers last year who executed scripts via my /tmp directory, so that's why normally /tmp dir and /dev/shm needs to be secure. The /tmp needs to be in any case.
Indeed I have csf running, but I don't do everything csf advises.

 

[SeLLeRoNe]

well, i use csf aswell but didnt made modification on that partition, till now.. no problem from that

 

[tillo]

You should already have /dev/shm in your system because it's mounted automatically, if it's missing in /dev/fstab just copy over the line from /etc/mtab. Usually it's already secured by nosuid and nodev, add noexec if missing.

And your raid/mdadm-dependent config has nothing to do with this.

 

[Richard G]

Thank you Tillo.
However I do have indeed /dev/shm that's normal as you stated, part of the OS.

But this is my mtab:

/dev/md2 / ext3 rw,usrquota,grpquota 0 0
proc /proc proc rw 0 0
none /dev/pts devpts rw,gid=5,mode=620 0 0
/dev/md1 /boot ext3 rw 0 0
/var/tmpMnt /tmp ext3 rw,noexec,nosuid,nodev,loop=/dev/loop0 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0

Strangely enough it's not present there either as statement.
So that's why I don't know how to solve this.

 

[tillo]

Well, try the direct link to the mount table: /proc/mounts. It must be there.
Anyway, "none /dev/shm tmpfs defaults,nosuid,nodev,noexec,rw 0 0" is 99.99% correct unless you have software with particular needs, for example Oracle.

 

[Richard G]

It's not even in /proc/mounts that's why I'm so confused, not fstab, not mtab and not /proc/mounts:

rootfs / rootfs rw 0 0
/dev/root / ext3 rw,data=ordered,usrquota,grpquota 0 0
/dev /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
/sys /sys sysfs rw 0 0
/proc/bus/usb /proc/bus/usb usbfs rw 0 0
none /dev/pts devpts rw 0 0
/dev/md1 /boot ext3 rw,data=ordered 0 0
/dev/loop0 /tmp ext3 rw,nosuid,nodev,noexec,data=ordered 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0

So if I understand you correctly I can just put the line in the fstab which you gave me and all is in order?

 

[SeLLeRoNe]

i did that way and everything worked good

 

[Richard G]

Oke I put it in the fstab like you said and rebooted the server, everything seems to be in order, thanks for all your help!

 

[Richard G]

I'm not sure what you mean, but I did it this way:

proc /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/md0 none swap sw 0 0
/dev/md1 /boot ext3 defaults 0 0
/dev/md2                        /                       ext3    defaults,usrquota,grpquota      0 0
/var/tmpMnt   /tmp   ext3   loop,noexec,nosuid,nodev,rw   0   0
none /dev/shm tmpfs defaults,nosuid,nodev,noexec,rw 0 0

For securing the /tmp I used a combination of this:
http://www.securecentos.com/basic-security/secure-tmp/

And one I found here on the Directadmin forums.