[TUT] Securing /tmp and /dev/shm partion

[.:Raymond:.]

Hello,

So here I am again for another tut. This time we are securing /tmp and /dev/shm.

Lets get started.

Part 1 : Securing /tmp

Step 1 : Make a 1GB(Or more) file for /tmp and an ext3 filesystem for tmp

dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
/sbin/mkfs.ext3 /dev/tmpFS

Step 2 : Create a backup copy of your current /tmp drive

cp -Rpf /tmp /tmpbackup

Step 3 : Mount our new tmp parition and change permissions

mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
chmod 1777 /tmp

Step 4 : Copy old data

cp -Rpf /tmpbackup/* /tmp/

Step 5 : Edit /etc/fstab and add this

/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0

Step 6 : Test your fstab entry

mount -o remount /tmp

Part 2 : Secure /var/tmp

Step 1 : Rename it and create a symbolic link to /tmp

mv /var/tmp /var/tmp1
ln -s /tmp /var/tmp

Step 2 : Copy the old data back

cp /var/tmpold/* /tmp/

Step 3 : Restart services that use the /tmp partion

Part 3 : Securing /dev/shm

Step 1 : Edit your /etc/fstab

nano /etc/fstab

change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

Step 2 : Remount /dev/shm

mount -o remount /dev/shm

And their you go All done!

*Note* if you have cpanel installed just run /scripts/securetmp in ssh

 

[Cory]

and if you're in cPanel;

/scripts/securetmp

I had to similar steps above as the /tmp was too full and had to expand to 5 GB on a cPanel server recently.

 

[.:Raymond:.]

@Cory

<_< again cory this is a general tut. Not everyone has cpanel installed. But thanks for posting that :P lemme add it

 

[Cory]

@Cory

<_< again cory this is a general tut. Not everyone has cpanel installed. But thanks for posting that :P lemme add it

Can't you tell I'm a cPanel user?

but only reason why I mentioned it is because I simply said I used the similar steps you posted above above; to expand my /tmp on a cPanel server instead of using /scripts/securetmp

Just incase if anyone is looking to know how to do that on a 'cPanel Server'.

Questions could be asked: "Can I do this on a cPanel Server?" -Simply, yes...trying to simply avoid a lot of posts.

 

[TippiE]

Keep up the good work and keep on ignoring nooby comments

 

[.:Raymond:.]

@cory

Lol i wasnt thinking straight. Thanks :P

@tippie

 

[damnyou]

I am getting this at step 3:-
mount: no permission to look at /dev/loop#