Creating A Secure /tmp Directory from a file

IMPORTANT NOTICE: THIS WHITEPAPER MAY NOT BE APPLICABLE TO YOUR SITUATION AND YOU SHOULD STUDY IT CAREFULLY. WE ARE NOT RESPONSIBLE IF YOU DAMAGE YOUR SERVER OR ANY OF IT'S CONTENTS FOLLOWING INFORMATION GIVEN IN ANY OF OUR WHITEPAPERS.

WE DO NOT GUARANTEE THIS WHITE PAPER TO BE ERROR FREE. YOU ARE RESPONSIBLE FOR ANY HARM YOU CAUSE YOUR SERVER OR DATA FOLLOWING THESE INSTRUCTIONS.

WE DO OFFER THE SERVICES IN THIS WHATE PAPER AS A COMMERCIAL SERVICE AND WE'LL BE HAPPY TO DO THIS WORK FOR YOU AS A COMMERCIAL SERVICE. PLEASE FEEL FREE TO CONTACT US FOR FURTHER INFORMATION AND PRICING IF YOU'RE INTERESTED IN HIRING US FOR THIS OR FOR ANY OTHER PURPOSE

THIS WHITEPAPER HAS BEEN TESTED ON CURRENT AND PRIOR VERSIONS OF CENTOS AND ON NO OTHER OPERATING SYSTEMS.

This guide is for those people whose /tmp directory is not mounted in its own partition and therefore cannot be made secure. Following these instructions will make it harder (but not impossible) for users or visitors to create exectuable files in your /tmp directory and then use them to abuse or compromise your system.

STEP 1: Gain root access to your server.

STEP 2: Check your system /etc/fstab file to ensure there is no /tmp mounting option; if there is, comment it out.

Command:

cat /etc/fstab | grep /tmp

STEP 3: Create a file that we will use to mount at /tmp.

First change your current working directory to /home. (Note: we use /home because generally it's the largest partition with the most space.) Then in that directory create a 5 GB file for the new /tmp partition. If you need more or less space, then adjust the count size as required.

Commands:

cd /home
dd if=/dev/zero of=tmpMnt bs=1024 count=5000000

STEP 4: Make an extended filesystem for our tmpMnt file.

Command:

mke2fs /home/tmpMnt

STEP 5: Copy your /tmp directory to a temporary location.

Commands:

cd /
cp -Rpf /tmp /tmp_backup

STEP 6: Modify /etc/fstab file and add the following line to create the new /tmp mounting option:

/home/tmpMnt	/tmp	ext2	loop,nosuid,noexec,nodev,noatime,rw	0	0

STEP 7: Mount the new /tmp filesystem with noexec, etc.

Command:

mount -o loop,nosuid,noexec,nodev,noatime,rw /home/tmpMnt /tmp

STEP 8: Chmod 1777 /tmp.

Command:

chmod 1777 /tmp

STEP 9: Check any error for /etc/fstab mounting option in /etc/fstab file.

Command:

mount -o remount /tmp

STEP 10: Copy everything back from /tmp_backup to new /tmp.

Command:

mv /tmp_backup/* /tmp/

STEP 11: Remove /var/tmp and and /tmp_backup

Commands:

rm -Rf /var/tmp
rm -Rf /tmp_backup

STEP 12 Create a symlink from /var/tmp to /tmp.

Command:

ln -s /tmp /var/tmp

STEP 13: Optionally Remove /home/tmp and create a symlink to /tmp.

Command:

rm -Rf /home/tmp
ln -s /tmp /home/tmp

Note: The step immediately above is marked optional because doing so on a server running DirectAdmin may cause a problem where your /home/tmp directory is too small to create offsite backups using either the admin-level or reseller-level reseller backup option. If this is a problem for you then you should either not symlink /home/tmp to /tmp, or you should select a different backup directory; create or modify the backup_tmpdir line in your directadmin.conf file to point to a new directory, in a partition with plenty of space; for example, /home, as follows:

backup_tmpdir=/home/backupdir

STEP 14: Optionally reboot server

Command:

shutdown -r now

Note: The step immediately above is marked optional but it is highly recommended to be sure that any processes currently writing to any replaced tmp partitions will be stopped. This of course could interrupt important processes (for example backups), but we do recommend it.

IMPORTANT NOTICE: THIS WHITEPAPER MAY NOT BE APPLICABLE TO YOUR SITUATION AND YOU SHOULD STUDY IT CAREFULLY. WE ARE NOT RESPONSIBLE IF YOU DAMAGE YOUR SERVER OR ANY OF IT'S CONTENTS FOLLOWING INFORMATION GIVEN IN ANY OF OUR WHITEPAPERS. WE'RE HAPPY TO CONTRACT WITH YOU TO DO THIS WORK AS A COMMERCIAL SERVICE AND WE DO GUARANTEE OUR WORK.