Securing /tmp and shm partitions

Securing /tmp and /dev/shm is a nice practice.  Lots of programs and scripts have access in there. So you don’t want code, malicious or not to run in there, trying to get root permissions or snoop on you.

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

First because I forget, let’s bind /var/tmp to /tmp in /etc/fstab

Now we deal with /tmp only.

Update 28/03/2015: That practice was for many unstable and criticized also by many. Unfortunately for them, I was vindicated when even OpenBSD in the upcoming version does the same for the very same reasons. Security.

Security improvements:

  • /var/tmp is now a symbolic link to /tmp, as a first step towards reducing the “fill it up” attack surface against the /var partition.

 

If it’s a separate partition we only need a

If it’s not, we will create an image for it. The example is for 4GB, tune it as you like.

Modify /tmp line as follows:

You should to the same for shm:

 

Edit your /etc/fstab:
# nano /etc/fstab

change:
“none /dev/shm tmpfs defaults,rw 0 0” to
“none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”

Remount /dev/shm:
# mount -o remount /dev/shm
It should be fine now.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Applescript: Run or Call a Shell Script
Viewed 2808 times since Tue, Aug 6, 2019
stunnel Securing telnet connections with stunnel
Viewed 333 times since Sun, Dec 6, 2020
Linux - How to get Memory information
Viewed 891 times since Fri, Jun 8, 2018
FIO (Flexible I/O) – a benchmark tool for any operating system
Viewed 18032 times since Wed, Jul 25, 2018
How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
Viewed 1983 times since Fri, Sep 28, 2018
Top 4 Reasons for Node Reboot or Node Eviction in Real Application Cluster (RAC) Environment
Viewed 17122 times since Thu, Jun 21, 2018
3 Ways to Check Linux Kernel Version in Command Line
Viewed 9488 times since Fri, Apr 19, 2019
How to use yum command on CentOS/RHEL
Viewed 9340 times since Wed, Oct 17, 2018
How to use yum-cron to automatically update RHEL/CentOS Linux 6.x / 7.x
Viewed 2944 times since Tue, Dec 4, 2018
RHEL: Reserved space on a ext2/ext3/ext4 filesystem
Viewed 2957 times since Sun, May 27, 2018