Learn Secure TMP and TMPFS on CentOS 6
Table of Contents
Temporary directories such as
/dev/shm offer a platform for hackers to run scripts and programs. These malicious executables are used to abuse or compromise your server. Ideally the
/tmp directory should be mounted on its own partition with limited permissions.
This guide is for IT Web Services users whose server configuration does not include a mounted
/tmp directory on its own partition, which leaves these directories insecure and vulnerable. Implementing this guide will make it extremely difficult for hackers to use these directories.
Note: Default CentOS installations do not mount the
/tmp directory on its own partition.
Change to the home directory.
Make a file in the home directory with any name. Here we are using ‘mntTmp’ and creating a 2GB file. You can adjust this to suit your needs.
dd if=/dev/zero of=mntTmp bs=1024 count=2000000
Make an extended filesystem for this file.
Back up your current
cp -Rpf /tmp /tmp_backup1
Return to the base directory.
/tmp mounting option to run at boot by using a text editor.
Add the following to the bottom of the fstab file on a separate line. Then press enter to ensure there is an empty line beneath it (the empty line is important to avoid running into problems when rebooting).
/home/mntTmp /tmp ext4 loop,nosuid,noexec,nodev,rw 0 0
Note: This mount may need to be temporarily removed when you compile or install software
Keep the file open as another line is going to be changed.
CentOS uses a temporary filesytem (tmpfs) in virtual memory called “shm”. It appears mounted despite the fact that it is not a physical file system. We can apply permissions to secure shm. Look for the line in the fstab file with tmpfs and
'defaults,nosuid,noexec,nodev'. Save the file.
You can now mount the
/tmp file system.
mount -o loop,nosuid,noexec,nodev /home/mntTmp /tmp
Set read, write, execute permissions.
chmod 777 /tmp
Check for any mounting errors with the new boot settings.
mount -o remount /tmp
/tmp backup which you created back to the mounted
/tmp file system.
mv /tmp_backup1/* /tmp/
Remove the backup that you created.
rm -Rf /tmp_backup1
cp -Rpf var/tmp /tmp_backup2
rm -Rf /var/tmp
Create a symbolic link from
ln -s /tmp /var/tmp
/var/tmp backup to
mv /tmp_backup2/* /tmp/
Remove the backup.
rm -Rf /tmp_backup2
Depending on the specific software you are using, you may have a “tmp” directory in the home directory. You can remove this directory and create a symbolic link to
/tmp. Care should exercised when doing this as it may break the software, particularly web hosting software.
rm -Rf /home/tmp ln -s /tmp /home/tmp
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!