Page 1 of 5 1234 ... LastLast
Results 1 to 25 of 114
  1. #1
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448

    New *useful* CPanel Script : /scripts/securetmp

    Hey folks..

    Just a FYI.

    For those of you who either don't have a /tmp partition (ie: ev1 users) or those who don't have their /tmp partition set to noexec, bdraco and I have written a script (I was mostly just the idea behind it..and the howto behind it) to create a /tmp and noexec it and everything.

    Basically, /tmp is the most (or close to the most) widely exploited directory, if it's set to noexec, the chances of users exploiting you by uploading a file and executing it is much less.

    This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.

    No reboots, or anything required, just:

    /scripts/updatenow
    /scripts/securetmp

    Hope this is helpful to everyone..lemme know if you have any questions, works on both Linux and FreeBSD.

    Enjoy

  2. #2
    does it symlink /var/tmp and /usr/tmp to /tmp ?? If not, what's the point ...

    Also any scripts which mess around with your partitioning ARE dangerous so I'm not too sure about this..Good idea though

  3. #3
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    titoboo, yes it does.

    And it doesn't automount /tmp at all, it puts itself into /etc/rc.local , this way there is no risk of the system not booting due to /tmp.

    [Edit: I didn't think about /usr/tmp at the time, it does do /var/tmp, I'll have /usr/tmp added.]

  4. #4
    Join Date
    Apr 2001
    Posts
    2,611
    From what partiotion does it take the space for tmp from if a seperate /tmp partition does not exist?

  5. #5
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    It creates /usr/tmpDSK which acts as he /tmp partition

    Code:
    sub createtmpdisk {
       print "Building /usr/tmpDSK...";
       system("dd","if=/dev/zero","of=/usr/tmpDSK","bs=1024","count=256000");
       open(MKFS,"|-") || exec("/sbin/mkfs","/usr/tmpDSK");
       print MKFS "yes\r\n";
       close(MKFS);
       if (-e "/sbin/tune2fs")
    Keep in mind because this only runs from /etc/rc.local, a reboot (and removal from rc.local) will reverse anything it has done, and take you back to the 'before' setup, if absolutely neccessary.

  6. #6
    This script will come in handy when we get new servers. Currently, we have to repartition /tmp manually and edit fstab.

    Nice job nickn.
    YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
    Reliable web site hosting is our motto. We have Alertra stats to back that up.
    Proven provider of high quality shared and reseller accounts since 2002.

  7. #7
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    Most of the credit goes to bdraco/nick

    But indeed, it does come in handy.
    Nick Nelson
    Sr. Director & GM, VAS
    Demand Media
    425.298.2282 nn@demandmedia.com

  8. #8
    Join Date
    Jul 2002
    Location
    Nashville, TN
    Posts
    2,046
    Sweet Nice Job!!
    Now, we'll see how many support tickets this brings in, as I just set it up
    Regards,
    Eric

    __________________

  9. #9
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    eh? It should affect anything. Rumor had it that APF didn't work well with it, spoke with Ryan/Teck7 (APF creator) he verified that it'll work fine....

    If you do find anything that is negatively affected by a noexec /tmp, let me know so i can bash their heads in since NOBODY should code anything legit which trys to execute a file in /tmp (unless it's root.)

    Happy 2k4 friends.
    Nick Nelson
    Sr. Director & GM, VAS
    Demand Media
    425.298.2282 nn@demandmedia.com

  10. #10
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Kewl script save me lots of typing, better than doing it all by hand.

    Thanks

  11. #11
    Join Date
    Feb 2003
    Location
    NY
    Posts
    586
    I did it the manual way and kayako was broken with it so I had to undo it

  12. #12
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    hm...i'm gonna check with kayako on this. and like i said, bash their heads in

  13. #13
    Originally posted by nickn
    Most of the credit goes to bdraco/nick
    Yep, and to bdraco as well.
    YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
    Reliable web site hosting is our motto. We have Alertra stats to back that up.
    Proven provider of high quality shared and reseller accounts since 2002.

  14. #14
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    As someone else said somewhere else it doesnt do much good.

    Copy 'ls' to /tmp for example then do:

    Then from within the temp directory:
    /lib/ld-2.2.5.so /tmp/ls
    MattF - Since the start..

  15. #15
    Join Date
    May 2003
    Posts
    1,708
    Awesome utility guys. We have been doing this manually so this will speed up new server implementation.
    ~~~~~~~~~~~~~~~~~~~~~
    UrNode - Virtual Solutions
    http://www.UrNode.com

  16. #16
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    It's not meant to be the ultimate "one stop secure your server" it's simply a easier way to secure your /tmp partition. For those such as kris who already do it manually, or for those who don't do it at all.

    Using this script, is better than not setting your /tmp to noexec at all.

  17. #17
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Is there a link to this script? How do we get it?

  18. #18
    Code:
    #!/usr/bin/perl
    # cpanel8 - scripts        Copyright(c) 1997-2003 cPanel, Inc.
    #                                 All rights Reserved.
    # nick@cpanel.net      http://cpanel.net
    
    $|=1;
    
    if ((-t STDIN && $ARGV[0] ne "--auto") || $ARGV[0] eq "--install") {
       my $hasst = 0;
       if (-e "/etc/rc.d/rc.local") {
          open(RC,"/etc/rc.d/rc.local");
       } else {
          open(RC,"/etc/rc.local");
       }
       while(<RC>) { if (/securetmp/) { $hasst = 1; last; } }
       close(RC);
       if (! $hasst) {
          my $q;
          if ($ARGV[0] ne "--install") {
             print "Would you like to secure /tmp & /var/tmp at boot time? ";
             chomp($q = <STDIN>);
          } else {
             $q = 'yes';
          }
          if ($q =~ /^y/i) {
             if (-e "/etc/rc.d/rc.local") {
                open(RC,">>/etc/rc.d/rc.local");
             } else {
                my $setperm = 0;
                if (! -e "/etc/rc.local") { $setperm = 1; }
                open(RC,">>/etc/rc.local");
                if ($setperm) { chmod(0755,"/etc/rc.local"); }
             }
             print RC "\n\n#--Added by /scripts/securetmp--\n/scripts/securetmp --auto\n\n";
             close(RC);
          }
       }
    } else {
       $SIG{'CHLD'} = 'IGNORE';
       print "Setting up /tmp & /var/tmp in the background\n";
       if (fork()) { exit(); }
    }
    
    if ($ARGV[0] eq "--install") { 
       print "Install Complete!\n";
       exit();
    }
    
    $ENV{'PATH'} .= ":/sbin:/usr/sbin";
    
    chomp($system = `uname -s`);
    
    my $tmpmnt = '';
    my $vartmpmnt = '';
    my $tmpopts = '';
    my $vartmpopts = '';
    
    my $mountkeyword = 'remount';
    
    if ($system =~ /freebsd/i) {
       $mountkeyword = 'update';
    }
    
    
    if (! -e "/proc/mounts") {
       open(MT,"mount|");
       while(<MT>) {
          /(\S+) on (\S+) \(([^\)]+)\)/;
          if ($2 eq "/tmp") { $tmpmnt = $1; $tmpopts = $3; }
          if ($2 eq "/var/tmp") { $vartmpmnt = $1; $vartmpopts = $3; }
       }
       close(MT);
    } else {
       open(MT,"/proc/mounts");
       while(<MT>) {
          /^(\S+) (\S+) \S+ (\S+)/;
          if ($2 eq "/tmp") { $tmpmnt = $1; $tmpopts = $3; }
          if ($2 eq "/var/tmp") { $vartmpmnt = $1; $vartmpopts = $3; }
       }
       close(MT);
    }
    
    if ($tmpmnt eq "" && ! -e "/usr/tmpDSK") {
       print "No seperate partition for tmp!\n";
       createtmpdisk();
    } 
    
    if ($tmpmnt eq "" && -e "/usr/tmpDSK") {
       print "Setting up /tmp..";
       mkdir("/usr/tmp.secure",0700);
       archivecopy("/tmp","/usr/tmp.secure");
       system("rm","-rf","/tmp");
       mkdir("/tmp",oct(1777));
       system("mount","-o","loop,noexec,nosuid,rw","/usr/tmpDSK","/tmp");
       archivecopy("/usr/tmp.secure/tmp/.","/tmp");
       chmod(oct(1777),"/tmp");
       system("rm","-rf","/usr/tmp.secure");
       print "Done\n";
    } elsif ($tmpmnt ne "" && $tmpopts !~ /noexec/) {
       print "Securing /tmp...";
       system("mount","-o","${mountkeyword},noexec,nosuid","/tmp");
       print "Done\n";
    } else {
       print "/tmp is already secure\n";
    }
    
    if ($vartmpmnt eq "" && -e "/usr/tmpDSK") {
       print "Setting up /var/tmp..";
       if ($system =~ /freebsd/i) {
          system("mount_null","-o","noexec,nosuid","/tmp","/var/tmp");
       } else {
          system("mount","-o","bind,noexec,nosuid","/tmp","/var/tmp");
       }
       print "Done\n";
    } elsif ($vartmpmnt ne "" && $vartmpopts !~ /noexec/) {
       print "Securing /var/tmp...";
       system("mount","-o","${mountkeyword},noexec,nosuid","/var/tmp");
       print "Done\n";
    } else {
       print "/var/tmp is already secure\n";
    }
    
    print "Process Complete\n";
    
    sub createtmpdisk {
       print "Building /usr/tmpDSK...";
       system("dd","if=/dev/zero","of=/usr/tmpDSK","bs=1024","count=256000");
       open(MKFS,"|-") || exec("/sbin/mkfs","/usr/tmpDSK");
       print MKFS "yes\r\n";
       close(MKFS);
       if (-e "/sbin/tune2fs") { 
          system("/sbin/tune2fs","-j","/usr/tmpDSK");
       }
       print "Done\n";
    }
    
    sub archivecopy {
       my($origin,$dest) = @_;
    
       my($cpflags) = '-af';
       if ($system =~ /freebsd/i) { $cpflags = '-Rpf'; }
    
       system("cp",$cpflags,$origin,$dest);
    }
    P4HOST.COM -- Specialize in quality Web Hosting solutions.
    Affordable -- Prices are very comparative
    Reliable -- Very low load average guaranteed. 60 day money back. Fast Support --Support Forum -- Providing hosting since 2003

  19. #19
    this script is useful for a newbies... after you reboot your machine, tmp partition will be unmounted... also it's limited in size.
    P4HOST.COM -- Specialize in quality Web Hosting solutions.
    Affordable -- Prices are very comparative
    Reliable -- Very low load average guaranteed. 60 day money back. Fast Support --Support Forum -- Providing hosting since 2003

  20. #20
    kudos for a script like this

  21. #21
    Join Date
    Jan 2001
    Location
    Vienna, Austria
    Posts
    2,531
    Originally posted by inteltechs
    this script is useful for a newbies... after you reboot your machine, tmp partition will be unmounted... also it's limited in size.
    So you have to run it each time you reboot the machine? (nickn is this correct or will it create "troubles" if you run it after the reboot?)

  22. #22
    Join Date
    Apr 2003
    Location
    Brooklyn NY
    Posts
    213
    I am having several problems after runnung this script:

    go to: http://www.vsdp.net and you see the error there,

    when I did it on a second server of mine, at the end of teh setup it gave an error of "No space left on device" and now I get the following errors:

    in http://www.boondogle.uni.cc/forum/:
    General Error

    Could not query forums information

    DEBUG MODE

    SQL Error : 1 Can't create/write to file '/tmp/#sql_102c_0.MYI' (Errcode: 13)

    SELECT f.*, p.post_time, p.post_username, u.username, u.user_id FROM (( phpbb_forums f LEFT JOIN phpbb_posts p ON p.post_id = f.forum_last_post_id ) LEFT JOIN phpbb_users u ON u.user_id = p.poster_id ) ORDER BY f.cat_id, f.forum_order

    Line : 165
    File : /home/boon/public_html/forum/index.php

    and another client When trying to access webmail (horde) got this error.

    Warning: open(/tmp/sess_7a09494899f22807b20f720c88d8e849, O_RDWR) failed: No
    space left on device (28) in Unknown on line 0

    Warning: Failed to write session data (files). Please verify that the current
    setting of session.save_path is correct (/tmp) in Unknown on line

    what needs to be done?

  23. #23
    Join Date
    Apr 2003
    Location
    Brooklyn NY
    Posts
    213
    now I even went ahead and and removed the line

    /scripts/securetmp --auto
    and rebooted and it still gives me the error, so I need help in either getting the sql / tmp to work with this script or at least reverse it to the way it was before, unfortunatly it was not as simple as

    Keep in mind because this only runs from /etc/rc.local, a reboot (and removal from rc.local) will reverse anything it has done, and take you back to the 'before' setup, if absolutely neccessary.

  24. #24
    Join Date
    Feb 2003
    Location
    NY
    Posts
    586
    jsut take it out of rc.local and do this

    mkdir tmpbackup
    cp tmp tmpbackup -r
    umount /tmp
    cp tmpbackup tmp -r

    should remove it

  25. #25
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448
    Hmm...I think bdraco will need to add support to make sure that there is plenty of filespace, and/or give the option of how big you want /tmp, he set it to automatically decide the size..and that might not be wise.

    As far as those horde errors go. make sure chmod 0777 /tmp , I've checked horde on the numerous machines I have this script running on, and none of them show these symptons.

Page 1 of 5 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •