Results 1 to 5 of 5
  1. #1
    Join Date
    Jan 2002
    Posts
    172

    Enough is enough!!

    Having /tmp directory open to everyone is really a very bad idea! Any user can simply upload php/cgi shells to his/her account and starts running illegal programs on /tmp.

    How can I prevent users on my server from using shell scripts and executing programs on /tmp?

    (I'm already using cgi/PHP Suexec)

  2. #2
    Greetings:

    There are a number of how to's on forums.ev1servers.net; and probably on WHT if you do a search.

    Please note that even with /tmp set up with nonexec, nosuid, a knowledgeable hacker can still run programs in /tmp.

    Futhermore, there are other measures that should be taken; security needs to be done in as many layers that work that you can manage through each day.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    dont forget

    /tmp, /var/tmp, /var/spool/mail

    those are also used.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    there is no way to 100% secure /tmp. at least you could mount it with noexec,nosuid,nodev options, but it won't stop knowledged attacker.

    regards,
    M.
    Powered by AMD & FreeBSD.
    "Documentation is like sex:
    when it is good, it is very, very good;
    and when it is bad, it is better than nothing."

  5. #5
    Join Date
    Apr 2004
    Location
    USA
    Posts
    27
    one way to secure /tmp is to not to allow users to write to it

    you can create tmp directories for every user to use. http://www.bastille-linux.org/ is a good resource for overall system hardening

    when you have many users on one server that have very sensitive information (like HIPAA stuff) the best way to go would be chroot jail, or a VPS solution

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •