Wednesday, March 14, 2012

Securing tmp in centos linux


Securing /tmp is very important. /tmp is world writable directory. So if some intruders get acces to /tmp, its a potential threat. The main thing we have to do is disabling running of scripts in this directory. Now we will see how to harden or secure /tmp /vr/tmp and /dev/shm in centos linux. This tutorial has examples also.

First of all before doing any changes, create a back up file. Make this a habit
cp /etc/fstab /etc/fstab.bak

Securing /tmp:
Create a 5Gb file for /tmp partition (you can adjust the size according to your needs)
dd if=/dev/zero of=/var/tempFS bs=1024 count=5000000

Make ext3 filesystem in the file we just created. Because we are going to use this file to store data.
mkfs.ext3 /var/tempFS

Create  current bckup of the /tmp directory
cp -Rpf /tmp /tmp.bkp

Now mount the newly created file as /tmp
mount -o loop,noexec,nosuid,rw /var/tempFS /tmp

Because /tmp directory is universly writable and nobody can delete files created by others we will set permission 777 + sticky bit =1777
chmod 1777 /tmp

Copy the old data to new /tmp
cp -Rpf /tmp.bkp/* /tmp/
If the old /tmp was empty, it might throw some errors. Don't worry.

Now you can edit fstable and make changes for the /tmp entry
vi /etc/fstab
/var/tempFS  /tmp ext3 loop,nosuid,noexec,rw 0 0

Remount the /tmp for making effects.
mount -o remount /tmp

Securing /var/tmp:
move the /var/tmp directory to some other name
mv /var/tmp /var/tmp.bkp

Now create a link /var/tmp and point it to /tmp. The command is as follows
ln -s /tmp /var/tmp

cp /var/tmp.bkp/* /tmp/
If the old /var/tmp was empty, it might throw some errors. Don't worry

Securing /dev/shm:
vi /etc/fstab
add nosuid and noexec to mount options
tmpfs     /dev/shm    tmpfs   defaults,nosuid,noexec     0 0
save the file

Remount to make the effect
mount -o remount /dev/shm

No comments:

Post a Comment

Be nice. That's all.