{"id":954,"date":"2012-08-03T09:51:54","date_gmt":"2012-08-03T01:51:54","guid":{"rendered":"http:\/\/rmohan.com\/?p=954"},"modified":"2012-08-03T09:51:54","modified_gmt":"2012-08-03T01:51:54","slug":"securing-tmp-partition","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=954","title":{"rendered":"Securing \/tmp Partition"},"content":{"rendered":"<p>If you are renting a server then chances are everything is lumped in \/ and a small amount partitioned for \/boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure \/tmp partition even while your server is already up and running.<br \/>\nRecently, I found out it would be worthwhile to give \/tmp it\u2019s own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your \/tmp folder.<\/p>\n<p>What we are doing it creating a file that we will use to mount at \/tmp. So log into SSH and SU to root so we may being!<\/p>\n<p>code:<\/p>\n<blockquote><p><em>cd \/dev<\/em><\/p><\/blockquote>\n<p>Create 100MB file for our \/tmp partition. If you need more space, make count size larger.<\/p>\n<p>code:<\/p>\n<blockquote><p><em>dd if=\/dev\/zero of=tmpMnt bs=1024 count=100000<\/em><\/p><\/blockquote>\n<p>Make an extended filesystem for our tmpMnt file<\/p>\n<p>code:<\/p>\n<blockquote><p><em>\/sbin\/mke2fs \/dev\/tmpMnt<\/em><\/p><\/blockquote>\n<p>Backup your \/tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.<\/p>\n<p>code:<\/p>\n<blockquote><p><em>cd \/<\/em><\/p><\/blockquote>\n<p>code:<\/p>\n<blockquote><p><em>cp -R \/tmp \/tmp_backup<\/em><\/p><\/blockquote>\n<p>Mount the new \/tmp filesystem with noexec<\/p>\n<p>code:<\/p>\n<blockquote><p><em>mount -o loop,noexec,nosuid,rw \/dev\/tmpMnt \/tmp<\/em><\/p><\/blockquote>\n<p>code:<\/p>\n<blockquote><p><em>chmod 1777 \/tmp<\/em><\/p><\/blockquote>\n<p>Copy everything back to new \/tmp and remove backup<\/p>\n<p>code:<\/p>\n<blockquote><p><em>cp -R \/tmp_backup\/* \/tmp\/<\/em><\/p><\/blockquote>\n<p>code:<\/p>\n<blockquote><p><em>rm -rf \/tmp_backup<\/em><\/p><\/blockquote>\n<p>Now we need to add this to fstab so it mounts automatically on reboots.<\/p>\n<p>code:<\/p>\n<blockquote><p><em>pico -w \/etc\/fstab<\/em><\/p><\/blockquote>\n<p>You should see something like this:<br \/>\ncode:<br \/>\n<em>\/dev\/hda3 \/ ext3 defaults,usrquota 1 1<br \/>\n\/dev\/hda1 \/boot ext3 defaults 1 2<br \/>\nnone \/dev\/pts devpts gid=5,mode=620 0 0<br \/>\nnone \/proc proc defaults 0 0<br \/>\nnone \/dev\/shm tmpfs defaults 0 0<br \/>\n\/dev\/hda2 swap swap defaults 0 0<\/em><\/p>\n<p>At the bottom add<br \/>\ncode:<\/p>\n<blockquote><p><em>\/dev\/tmpMnt \/tmp ext2 loop,noexec,nosuid,rw 0 0<\/em><\/p>\n<p>(Each space is a tab)<br \/>\nSave it!<br \/>\n<em>Ctrl + X and Y<\/em><\/p><\/blockquote>\n<p>Your done- \/tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to \/tmp. Upon trying to run it (even chmod +x\u2019ed), it gives the following error:<\/p>\n<p>code:<br \/>\n<em>bash: .\/a.out: Permission denied<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are renting a server then chances are everything is lumped in \/ and a small amount partitioned for \/boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure \/tmp partition even while your server [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/954"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=954"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/954\/revisions"}],"predecessor-version":[{"id":956,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/954\/revisions\/956"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}