If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Following the method descriped below, you will learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it’s own partition and mount it using noexec. This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.
What we are doing it creating a file that we will use to mount at /tmp. So log into ssh and su to root so we may begin!
In your /dev directory create an empty 250MB file. You may need more space on a busier system. To increase the size of the empty file make the count parameter larger.
dd if=/dev/zero of=tmppart bs=1024 count=250000
We will now create an ext3 filesystem for in our tmppart file. If it asks you if you want to proceed, since the destination is not a block device, say yes (y).
Backup your /tmp diretory since you may have files in there that is needed by certain programs. Some programs may use it to store cache files or other temporary information.
cp -R /tmp /tmp_backup
Now, mount the new /tmp filesystem with noexec, nosuid and rw options, and set the correct permissions on the new partition:
mount -o loop,noexec,nosuid,rw /dev/tmppart /tmp
chmod 1777 /tmp
Restore the old /tmp data and remove backup directory:
cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
We now need to add this to
/etc/fstab so it mounts automatically on reboots. Add the following line to your
/dev/tmppart /tmp ext3 loop,noexec,nosuid,rw 0 0
You are done! /tmp is now mounted as noexec, nosuid and rw. You can sleep a little bit safer tonight.
To test the setup, you may copy an executable to the /tmp directory and then try and execute it. It should fail with a
Permission denied error message.