Securing /tmp and shm partitions

Securing /tmp and /dev/shm is a nice practice.  Lots of programs and scripts have access in there. So you don’t want code, malicious or not to run in there, trying to get root permissions or snoop on you.

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

First because I forget, let’s bind /var/tmp to /tmp in /etc/fstab

Now we deal with /tmp only.

Update 28/03/2015: That practice was for many unstable and criticized also by many. Unfortunately for them, I was vindicated when even OpenBSD in the upcoming version does the same for the very same reasons. Security.

Security improvements:

  • /var/tmp is now a symbolic link to /tmp, as a first step towards reducing the “fill it up” attack surface against the /var partition.

 

If it’s a separate partition we only need a

If it’s not, we will create an image for it. The example is for 4GB, tune it as you like.

Modify /tmp line as follows:

You should to the same for shm:

 

Edit your /etc/fstab:
# nano /etc/fstab

change:
“none /dev/shm tmpfs defaults,rw 0 0” to
“none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”

Remount /dev/shm:
# mount -o remount /dev/shm
It should be fine now.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Jak znaleźć najszybszy publiczny serwer DNS w Polsce?
Viewed 976 times since Mon, May 21, 2018
Procedura powiekszania OCFS2 online
Viewed 529 times since Fri, Jun 8, 2018
Red Hat Cluster Tutorial
Viewed 696 times since Sun, Jun 3, 2018
Creating SWAP partition using FDISK & FALLOCATE commands
Viewed 270 times since Thu, Jan 16, 2020
RHEL7: Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.
Viewed 1062 times since Mon, Aug 6, 2018
How to sort IP addresses in Linux
Viewed 1015 times since Sun, May 20, 2018
OpenSSL: Check SSL Certificate Expiration Date and More
Viewed 576 times since Mon, Feb 18, 2019
WatchDog watchdog.sh script for checking server running
Viewed 1773 times since Tue, Jul 31, 2018
LVM: Create a new Volume Group
Viewed 652 times since Sat, Jun 2, 2018
Using etckeeper with git
Viewed 931 times since Sun, Jun 3, 2018