Results 1 to 9 of 9

Thread: securing /tmp

  1. #1
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432

    securing /tmp

    Hi

    I was wondering about securing the /tmp direcotry on a Cpanel server and Ive read the following article(http://www.webhostgear.com/34.html) about mounting the directory noexec but wont that break mysql when the mysql.sock@ file is on a noexec partition?

    Does anybody have some other solution?

    Martin
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  2. #2
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    You could run /scripts/securetmp if you are on a cpanel server.
    That does not affect mysql because it needn't be executable. I have it enabled on a few servers and all of them works perfect.

    Vivek Prasannan

  3. #3
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432
    Originally posted by visiondream3
    You could run /scripts/securetmp if you are on a cpanel server.
    That does not affect mysql because it needn't be executable. I have it enabled on a few servers and all of them works perfect.

    Vivek Prasannan
    Hi

    If I do a chmod -x /tmp mysql stop working so it must somewhere require the x bit.
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    quoted from admin0.info


    cd /dev/
    dd if=/dev/zero of=Tmp bs=1024 count=100000
    dd if=/dev/zero of=varTmp bs=1024 count=100000
    mkfs -t ext3 /dev/Tmp
    mkfs -t ext3 /dev/varTmp
    cd /
    cp -aR /tmp /tmp_backup
    mount -o loop,noexec,nosuid,rw /dev/Tmp /tmp
    cp -aR /tmp_backup/* /tmp/
    chmod 0777 /tmp
    chmod +t /tmp

    cd /var/
    cp -aR /var/tmp /var/tmp_backup

    mount -o loop,noexec,nosuid,rw /dev/varTmp /var/tmp
    cp -aR /var/tmp_backup/* /var/tmp/
    chmod 0777 /var/tmp
    chmod +t /var/tmp


    add this to /etc/fstab

    /dev/Tmp /tmp ext3 loop,rw,nosuid,noexec 0 0
    /dev/varTmp /var/tmp ext3 loop,rw,nosuid,noexec 0 0

    then

    /scripts/restartsrv httpd
    /scripts/restartsrv mysql
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Originally posted by visiondream3
    You could run /scripts/securetmp if you are on a cpanel server.
    That does not affect mysql because it needn't be executable. I have it enabled on a few servers and all of them works perfect.

    Vivek Prasannan
    Hi

    how can i actually do that? Will that affect any other working processes or application?

  6. #6
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432
    Originally posted by Uncle Mad
    Hi

    how can i actually do that? Will that affect any other working processes or application?
    SSH to the server and simply type in /scripts/securetmp
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  7. #7
    Join Date
    Jul 2003
    Posts
    139
    From my /etc/fstab:

    tmpfs /tmp tmpfs noexec,nosuid,size=256M 0 0

  8. #8
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Hi

    If I do a chmod -x /tmp mysql stop working so it must somewhere require the x bit.
    right, running the script /scripts/securetmp does not leave the /tmp directory inexecutable. Instead it prevents any programs to be executed from within the directory file system using ./prog_name

    thats how most /tmp attempts occur, by downloading the script through http, and executing it from /tmp.

    when you do chmod -x /tmp its affecting the directory mode, but when you do
    mount -o loop,noexec,nosuid,rw
    its mounted as a separate non-executable drive.

  9. #9
    Join Date
    May 2003
    Location
    Kirkland, WA
    Posts
    4,448

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •