Securing /tmp on a system with a single partition?

N

Navigator

Verified User
Joined
Oct 28, 2008
Messages
15
[DA noob warning / cPanel refugee here] are there any scripts like cpanel's "securetmp" that will take care of setting up basic permissions and security on the partitions?

A very very old article from 2010 eth0.us shows how to create a /tmp partition but its very outdated. Another article I found with similar commands (but this broke my VM and it no longer booted so I reset it): https://cloudminister.com/how-to-add-tmp-security-in-centos7/

My CentOS 7 VM came with a single partition
Sass: 
[root@server ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        1.9G     0  1.9G   0% /dev
tmpfs           1.9G     0  1.9G   0% /dev/shm
tmpfs           1.9G  8.6M  1.9G   1% /run
tmpfs           1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/vda1        77G  3.5G   70G   5% /
tmpfs           379M     0  379M   0% /run/user/0
[root@server ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Mon May 14 08:32:03 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
LABEL=root                      /                       ext4    defaults,usrquota,grpquota      1 1
/dev/vda2        swap       swap       defaults        0 0
[root@server ~]#

Any guidance is appreciated! I am just trying to setup basic security so I can migrate my cPanel accounts.... I wish there was a simple script that you can run on vanilla servers and take care of 'the basics'
 
We don't have a ready-script like cpanel has. But you can use one wich I learned in the past here and still use:
Secure /dev/shm
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
and remount.
mount -o remount /dev/shm

Secure /tmp I do like this and use 5 GB and create a seperate directory for DA's temp files.
Most services should be stopped running if you don't want to ru into errors.
Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext4   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp
and ready.
A couple of these lines can give you a notice that it doesn't exists, but that's not a problem, it's just catching some default configs.

I ran into an issue once with DA being busy with backups or something, don't remember. But I had too little space left for the DA action itself.
So I create a directory in / so like:
Code: 
cd /
mkdir da_tmp
chmod 777 da_tmp

then in /usr/local/directadmin/conf/directadmin.conf change the according line to this:
tmpdir=../../../da_tmp

Is been used on dedicated servers and on VPS systems, so should work for you too.
 
You must log in or register to reply here.
Back
Top