Results 1 to 25 of 114
-
01-01-2004, 12:28 AM #1Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
New *useful* CPanel Script : /scripts/securetmp
Hey folks..
Just a FYI.
For those of you who either don't have a /tmp partition (ie: ev1 users) or those who don't have their /tmp partition set to noexec, bdraco and I have written a script (I was mostly just the idea behind it..and the howto behind it) to create a /tmp and noexec it and everything.
Basically, /tmp is the most (or close to the most) widely exploited directory, if it's set to noexec, the chances of users exploiting you by uploading a file and executing it is much less.
This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.
No reboots, or anything required, just:
/scripts/updatenow
/scripts/securetmp
Hope this is helpful to everyone..lemme know if you have any questions, works on both Linux and FreeBSD.
Enjoy
-
01-01-2004, 12:29 AM #2WHT Addict
- Join Date
- Sep 2002
- Posts
- 134
does it symlink /var/tmp and /usr/tmp to /tmp ?? If not, what's the point ...
Also any scripts which mess around with your partitioning ARE dangerous so I'm not too sure about this..Good idea though
-
01-01-2004, 12:30 AM #3Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
titoboo, yes it does.
And it doesn't automount /tmp at all, it puts itself into /etc/rc.local , this way there is no risk of the system not booting due to /tmp.
[Edit: I didn't think about /usr/tmp at the time, it does do /var/tmp, I'll have /usr/tmp added.]
-
01-01-2004, 12:32 AM #4Web Hosting Master
- Join Date
- Apr 2001
- Posts
- 2,611
From what partiotion does it take the space for tmp from if a seperate /tmp partition does not exist?
-
01-01-2004, 12:35 AM #5Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
It creates /usr/tmpDSK which acts as he /tmp partition
Code:sub createtmpdisk { print "Building /usr/tmpDSK..."; system("dd","if=/dev/zero","of=/usr/tmpDSK","bs=1024","count=256000"); open(MKFS,"|-") || exec("/sbin/mkfs","/usr/tmpDSK"); print MKFS "yes\r\n"; close(MKFS); if (-e "/sbin/tune2fs")
-
01-01-2004, 03:33 AM #6Web Hosting Master
- Join Date
- Aug 2002
- Posts
- 2,631
This script will come in handy when we get new servers. Currently, we have to repartition /tmp manually and edit fstab.
Nice job nickn.YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
Reliable web site hosting is our motto. We have Alertra stats to back that up.
Proven provider of high quality shared and reseller accounts since 2002.
-
01-01-2004, 09:45 AM #7Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
Most of the credit goes to bdraco/nick
But indeed, it does come in handy.
-
01-01-2004, 11:11 AM #8Web Hosting Master
- Join Date
- Jul 2002
- Location
- Nashville, TN
- Posts
- 2,046
Sweet Nice Job!!
Now, we'll see how many support tickets this brings in, as I just set it upRegards,
Eric
__________________
-
01-01-2004, 11:24 AM #9Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
eh? It should affect anything. Rumor had it that APF didn't work well with it, spoke with Ryan/Teck7 (APF creator) he verified that it'll work fine....
If you do find anything that is negatively affected by a noexec /tmp, let me know so i can bash their heads in since NOBODY should code anything legit which trys to execute a file in /tmp (unless it's root.)
Happy 2k4 friends.
-
01-01-2004, 11:29 AM #10Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Kewl script save me lots of typing, better than doing it all by hand.
Thanks
-
01-01-2004, 11:42 AM #11Disabled
- Join Date
- Feb 2003
- Location
- NY
- Posts
- 586
I did it the manual way and kayako was broken with it so I had to undo it
-
01-01-2004, 12:40 PM #12Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
hm...i'm gonna check with kayako on this. and like i said, bash their heads in
-
01-01-2004, 03:45 PM #13Web Hosting Master
- Join Date
- Aug 2002
- Posts
- 2,631
Originally posted by nickn
Most of the credit goes to bdraco/nick
YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
Reliable web site hosting is our motto. We have Alertra stats to back that up.
Proven provider of high quality shared and reseller accounts since 2002.
-
01-01-2004, 03:56 PM #14Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
As someone else said somewhere else it doesnt do much good.
Copy 'ls' to /tmp for example then do:
Then from within the temp directory:
/lib/ld-2.2.5.so /tmp/lsMattF - Since the start..
-
01-01-2004, 04:35 PM #15Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,708
Awesome utility guys. We have been doing this manually so this will speed up new server implementation.
-
01-01-2004, 05:12 PM #16Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
It's not meant to be the ultimate "one stop secure your server" it's simply a easier way to secure your /tmp partition. For those such as kris who already do it manually, or for those who don't do it at all.
Using this script, is better than not setting your /tmp to noexec at all.
-
01-01-2004, 05:31 PM #17Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Is there a link to this script? How do we get it?
-
01-01-2004, 05:34 PM #18Web Hosting Master
- Join Date
- Feb 2003
- Posts
- 2,289
Code:#!/usr/bin/perl # cpanel8 - scripts Copyright(c) 1997-2003 cPanel, Inc. # All rights Reserved. # nick@cpanel.net http://cpanel.net $|=1; if ((-t STDIN && $ARGV[0] ne "--auto") || $ARGV[0] eq "--install") { my $hasst = 0; if (-e "/etc/rc.d/rc.local") { open(RC,"/etc/rc.d/rc.local"); } else { open(RC,"/etc/rc.local"); } while(<RC>) { if (/securetmp/) { $hasst = 1; last; } } close(RC); if (! $hasst) { my $q; if ($ARGV[0] ne "--install") { print "Would you like to secure /tmp & /var/tmp at boot time? "; chomp($q = <STDIN>); } else { $q = 'yes'; } if ($q =~ /^y/i) { if (-e "/etc/rc.d/rc.local") { open(RC,">>/etc/rc.d/rc.local"); } else { my $setperm = 0; if (! -e "/etc/rc.local") { $setperm = 1; } open(RC,">>/etc/rc.local"); if ($setperm) { chmod(0755,"/etc/rc.local"); } } print RC "\n\n#--Added by /scripts/securetmp--\n/scripts/securetmp --auto\n\n"; close(RC); } } } else { $SIG{'CHLD'} = 'IGNORE'; print "Setting up /tmp & /var/tmp in the background\n"; if (fork()) { exit(); } } if ($ARGV[0] eq "--install") { print "Install Complete!\n"; exit(); } $ENV{'PATH'} .= ":/sbin:/usr/sbin"; chomp($system = `uname -s`); my $tmpmnt = ''; my $vartmpmnt = ''; my $tmpopts = ''; my $vartmpopts = ''; my $mountkeyword = 'remount'; if ($system =~ /freebsd/i) { $mountkeyword = 'update'; } if (! -e "/proc/mounts") { open(MT,"mount|"); while(<MT>) { /(\S+) on (\S+) \(([^\)]+)\)/; if ($2 eq "/tmp") { $tmpmnt = $1; $tmpopts = $3; } if ($2 eq "/var/tmp") { $vartmpmnt = $1; $vartmpopts = $3; } } close(MT); } else { open(MT,"/proc/mounts"); while(<MT>) { /^(\S+) (\S+) \S+ (\S+)/; if ($2 eq "/tmp") { $tmpmnt = $1; $tmpopts = $3; } if ($2 eq "/var/tmp") { $vartmpmnt = $1; $vartmpopts = $3; } } close(MT); } if ($tmpmnt eq "" && ! -e "/usr/tmpDSK") { print "No seperate partition for tmp!\n"; createtmpdisk(); } if ($tmpmnt eq "" && -e "/usr/tmpDSK") { print "Setting up /tmp.."; mkdir("/usr/tmp.secure",0700); archivecopy("/tmp","/usr/tmp.secure"); system("rm","-rf","/tmp"); mkdir("/tmp",oct(1777)); system("mount","-o","loop,noexec,nosuid,rw","/usr/tmpDSK","/tmp"); archivecopy("/usr/tmp.secure/tmp/.","/tmp"); chmod(oct(1777),"/tmp"); system("rm","-rf","/usr/tmp.secure"); print "Done\n"; } elsif ($tmpmnt ne "" && $tmpopts !~ /noexec/) { print "Securing /tmp..."; system("mount","-o","${mountkeyword},noexec,nosuid","/tmp"); print "Done\n"; } else { print "/tmp is already secure\n"; } if ($vartmpmnt eq "" && -e "/usr/tmpDSK") { print "Setting up /var/tmp.."; if ($system =~ /freebsd/i) { system("mount_null","-o","noexec,nosuid","/tmp","/var/tmp"); } else { system("mount","-o","bind,noexec,nosuid","/tmp","/var/tmp"); } print "Done\n"; } elsif ($vartmpmnt ne "" && $vartmpopts !~ /noexec/) { print "Securing /var/tmp..."; system("mount","-o","${mountkeyword},noexec,nosuid","/var/tmp"); print "Done\n"; } else { print "/var/tmp is already secure\n"; } print "Process Complete\n"; sub createtmpdisk { print "Building /usr/tmpDSK..."; system("dd","if=/dev/zero","of=/usr/tmpDSK","bs=1024","count=256000"); open(MKFS,"|-") || exec("/sbin/mkfs","/usr/tmpDSK"); print MKFS "yes\r\n"; close(MKFS); if (-e "/sbin/tune2fs") { system("/sbin/tune2fs","-j","/usr/tmpDSK"); } print "Done\n"; } sub archivecopy { my($origin,$dest) = @_; my($cpflags) = '-af'; if ($system =~ /freebsd/i) { $cpflags = '-Rpf'; } system("cp",$cpflags,$origin,$dest); }
P4HOST.COM -- Specialize in quality Web Hosting solutions.
Affordable -- Prices are very comparative
Reliable -- Very low load average guaranteed. 60 day money back. Fast Support --Support Forum -- Providing hosting since 2003
-
01-01-2004, 05:36 PM #19Web Hosting Master
- Join Date
- Feb 2003
- Posts
- 2,289
this script is useful for a newbies... after you reboot your machine, tmp partition will be unmounted... also it's limited in size.
P4HOST.COM -- Specialize in quality Web Hosting solutions.
Affordable -- Prices are very comparative
Reliable -- Very low load average guaranteed. 60 day money back. Fast Support --Support Forum -- Providing hosting since 2003
-
01-01-2004, 05:54 PM #20Disabled
- Join Date
- Dec 2003
- Posts
- 24
kudos for a script like this
-
01-02-2004, 07:26 AM #21Registered User
- Join Date
- Jan 2001
- Location
- Vienna, Austria
- Posts
- 2,531
Originally posted by inteltechs
this script is useful for a newbies... after you reboot your machine, tmp partition will be unmounted... also it's limited in size.
-
01-02-2004, 10:17 AM #22Junior Guru
- Join Date
- Apr 2003
- Location
- Brooklyn NY
- Posts
- 213
I am having several problems after runnung this script:
go to: http://www.vsdp.net and you see the error there,
when I did it on a second server of mine, at the end of teh setup it gave an error of "No space left on device" and now I get the following errors:
in http://www.boondogle.uni.cc/forum/:
General Error
Could not query forums information
DEBUG MODE
SQL Error : 1 Can't create/write to file '/tmp/#sql_102c_0.MYI' (Errcode: 13)
SELECT f.*, p.post_time, p.post_username, u.username, u.user_id FROM (( phpbb_forums f LEFT JOIN phpbb_posts p ON p.post_id = f.forum_last_post_id ) LEFT JOIN phpbb_users u ON u.user_id = p.poster_id ) ORDER BY f.cat_id, f.forum_order
Line : 165
File : /home/boon/public_html/forum/index.php
and another client When trying to access webmail (horde) got this error.
Warning: open(/tmp/sess_7a09494899f22807b20f720c88d8e849, O_RDWR) failed: No
space left on device (28) in Unknown on line 0
Warning: Failed to write session data (files). Please verify that the current
setting of session.save_path is correct (/tmp) in Unknown on line
what needs to be done?
-
01-02-2004, 10:23 AM #23Junior Guru
- Join Date
- Apr 2003
- Location
- Brooklyn NY
- Posts
- 213
now I even went ahead and and removed the line
/scripts/securetmp --auto
Keep in mind because this only runs from /etc/rc.local, a reboot (and removal from rc.local) will reverse anything it has done, and take you back to the 'before' setup, if absolutely neccessary.
-
01-02-2004, 11:25 AM #24Disabled
- Join Date
- Feb 2003
- Location
- NY
- Posts
- 586
jsut take it out of rc.local and do this
mkdir tmpbackup
cp tmp tmpbackup -r
umount /tmp
cp tmpbackup tmp -r
should remove it
-
01-02-2004, 01:05 PM #25Web Hosting Master
- Join Date
- May 2003
- Location
- Kirkland, WA
- Posts
- 4,448
Hmm...I think bdraco will need to add support to make sure that there is plenty of filespace, and/or give the option of how big you want /tmp, he set it to automatically decide the size..and that might not be wise.
As far as those horde errors go. make sure chmod 0777 /tmp , I've checked horde on the numerous machines I have this script running on, and none of them show these symptons.