Archive for April, 2005

Tomcat 4 & Graphics

Monday, April 18th, 2005

It you are trying to use graphics on a server, that does not run X, you may run into all sorts of problems with the AWT toolkit. When the AWT toolkit is initialised it expects to find an X server, regardless of whether its needed for actual display.

If you are running JDK 1.4 or later, you should add -Djava.awt.headless=true to your Tomcat startup.

I achieved this by editing the /usr/bin/dtomcat4 file.

Below is a downloadable patch file. Tomcat 4 Patch

Securing /tmp directory

Saturday, April 9th, 2005

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Following the method descriped below, you will learn how to create a secure /tmp partition even while your server is already up and running.

Recently, I found out it would be worthwhile to give /tmp it’s own partition and mount it using noexec. This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into ssh and su to root so we may begin!

In your /dev directory create an empty 250MB file. You may need more space on a busier system. To increase the size of the empty file make the count parameter larger.

cd /dev
dd if=/dev/zero of=tmppart bs=1024 count=250000

We will now create an ext3 filesystem for in our tmppart file. If it asks you if you want to proceed, since the destination is not a block device, say yes (y).

/sbin/mkfs.ext3 /dev/tmppart

Backup your /tmp diretory since you may have files in there that is needed by certain programs. Some programs may use it to store cache files or other temporary information.

cd /
cp -R /tmp /tmp_backup

Now, mount the new /tmp filesystem with noexec, nosuid and rw options, and set the correct permissions on the new partition:

mount -o loop,noexec,nosuid,rw /dev/tmppart /tmp
chmod 1777 /tmp

Restore the old /tmp data and remove backup directory:

cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup

We now need to add this to /etc/fstab so it mounts automatically on reboots. Add the following line to your /etc/fstab file.

/dev/tmppart /tmp ext3 loop,noexec,nosuid,rw 0 0

You are done! /tmp is now mounted as noexec, nosuid and rw. You can sleep a little bit safer tonight.

To test the setup, you may copy an executable to the /tmp directory and then try and execute it. It should fail with a Permission denied error message.