Securing /tmp on a system with a single partition?

[Navigator]

[DA noob warning / cPanel refugee here] are there any scripts like cpanel's "securetmp" that will take care of setting up basic permissions and security on the partitions?

A very very old article from 2010 eth0.us shows how to create a /tmp partition but its very outdated. Another article I found with similar commands (but this broke my VM and it no longer booted so I reset it): https://cloudminister.com/how-to-add-tmp-security-in-centos7/

My CentOS 7 VM came with a single partition

[root@server ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        1.9G     0  1.9G   0% /dev
tmpfs           1.9G     0  1.9G   0% /dev/shm
tmpfs           1.9G  8.6M  1.9G   1% /run
tmpfs           1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/vda1        77G  3.5G   70G   5% /
tmpfs           379M     0  379M   0% /run/user/0
[root@server ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Mon May 14 08:32:03 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
LABEL=root                      /                       ext4    defaults,usrquota,grpquota      1 1
/dev/vda2        swap       swap       defaults        0 0
[root@server ~]#

Any guidance is appreciated! I am just trying to setup basic security so I can migrate my cPanel accounts.... I wish there was a simple script that you can run on vanilla servers and take care of 'the basics'

 

[Richard G]

We don't have a ready-script like cpanel has. But you can use one wich I learned in the past here and still use:
Secure /dev/shm
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
and remount.
mount -o remount /dev/shm

Secure /tmp I do like this and use 5 GB and create a seperate directory for DA's temp files.
Most services should be stopped running if you don't want to run into errors.

dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

and ready.
A couple of these lines can give you a notice that it doesn't exists, but that's not a problem, it's just catching some default configs.

I ran into an issue once with DA being busy with backups or something, don't remember. But I had too little space left for the DA action itself.
So I create a directory in / so like:

cd /
mkdir da_tmp
chmod 1777 da_tmp

then in /usr/local/directadmin/conf/directadmin.conf change the according line to this:
tmpdir=../../../da_tmp

Is been used on dedicated servers and on VPS systems, so should work for you too.

 

[skym4n]

We don't have a ready-script like cpanel has. But you can use one wich I learned in the past here and still use:
Secure /dev/shm
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
and remount.
mount -o remount /dev/shm

Secure /tmp I do like this and use 5 GB and create a seperate directory for DA's temp files.
Most services should be stopped running if you don't want to ru into errors.

dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

and ready.
A couple of these lines can give you a notice that it doesn't exists, but that's not a problem, it's just catching some default configs.

I ran into an issue once with DA being busy with backups or something, don't remember. But I had too little space left for the DA action itself.
So I create a directory in / so like:

cd /
mkdir da_tmp
chmod 777 da_tmp

then in /usr/local/directadmin/conf/directadmin.conf change the according line to this:
tmpdir=../../../da_tmp

Is been used on dedicated servers and on VPS systems, so should work for you too.

My partitions are different, how do I create a safe /tmp? see the attached file.

see what my partition looks like
UUID=305c2ee1-e2de-4c44-9509-ee00cd841df9 / xfs defaults,uquota,gquota 0 0
UUID=459d8b80-abb1-4ea1-8c8a-de00f3090b36 /boot xfs defaults 0 0
UUID=89e294d1-3d5c-4623-bdbc-5c75021faf1d none swap defaults 0 0

 

[skym4n]

Code:

dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp

I followed this step-by-step, is that enough? Is there a way to test if it is safe?

 

[Richard G]

Is there a way to test if it is safe?

That shoud be enough yes.
The UUID is not used, you get normal entry's in your /etc/fstab like this:

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0

There is a way to test it, but I'm no scripter, I had some test before but I lost it. However if you have it like this you can be sure it works.

If you get issues with backups, it might be wise to change the DA path to a different directory.
I always create a directory in the root of the os so like /da_tmp and chmod to 1777.
Then in directadmin.conf I change tmpdir= to tmpdir=/da_tmp and restart DA and then DA is all the space it needs. There might be better methods.
As for all goes, use at your own risk and responsibility.

 

[johannes]

..should be copied into the "how-to-guides" .. Richard?

 

[Richard G]

I don't know if it's still required @johannes because recently I read somewhere that with php-fpm using executable scripts in the /tmp would be not possible anyway.
Not sure where I've read this or if this is true. If not or if protecting the /tmp is still relevant these days, I will gladly copy it to the how-to-guides section.

 

[skym4n]

I made the above configuration, but I am having a problem with backups via FTP.

Remote backups via FTP need a temporary space to be compressed, with the above configuration I had the following problem.

For accounts larger than 5GB, the system cannot generate and send the backup, resulting in the error below.


Error Compressing the backup file user.revenda.astronauta.tar.zst : zstd: error 25 : Write error : No space left on device (cannot write compressed block)

 

[Richard G]

For accounts larger than 5GB, the system cannot generate and send the backup, resulting in the error below.

Did you read this line?

I always create a directory in the root of the os so like /da_tmp and chmod to 1777.
Then in directadmin.conf I change tmpdir= to tmpdir=/da_tmp and restart DA and then DA is all the space it needs. There might be better methods.
As for all goes, use at your own risk and responsibility.

Because that is causing your issue, the fact that you forgot this. Because DA also makes it's backups in the /tmp directory. So that's why it's wise to create a seperate backup directory for DA.

It's very clear about backups in the instructions in post #2

I ran into an issue once with DA being busy with backups or something, don't remember. But I had too little space left for the DA action itself.
So I create a directory in / so like: