Learn Secure TMP and TMPFS on CentOS 6

January 16, 2019

Table of Contents

    Temporary directories such as /tmp, /var/tmp, and /dev/shm offer a platform for hackers to run scripts and programs. These malicious executables are used to abuse or compromise your server. Ideally the /tmp directory should be mounted on its own partition with limited permissions.

    This guide is for IT Web Services users whose server configuration does not include a mounted /tmp directory on its own partition, which leaves these directories insecure and vulnerable. Implementing this guide will make it extremely difficult for hackers to use these directories.

    Note: Default CentOS installations do not mount the /tmp directory on its own partition.

    Change to the home directory.

     cd /home
    

    Make a file in the home directory with any name. Here we are using ‘mntTmp’ and creating a 2GB file. You can adjust this to suit your needs.

     dd if=/dev/zero of=mntTmp bs=1024 count=2000000
    

    Make an extended filesystem for this file.

     mkfs.ext4  /home/mntTmp
    

    Back up your current /tmp directory.

     cp -Rpf /tmp /tmp_backup1
    

    Return to the base directory.

     cd /
    

    Create the /tmp mounting option to run at boot by using a text editor.

     nano /etc/fstab
    

    Add the following to the bottom of the fstab file on a separate line. Then press enter to ensure there is an empty line beneath it (the empty line is important to avoid running into problems when rebooting).

     /home/mntTmp   /tmp    ext4    loop,nosuid,noexec,nodev,rw 0 0
    

    Note: This mount may need to be temporarily removed when you compile or install software

    Keep the file open as another line is going to be changed.

    CentOS uses a temporary filesytem (tmpfs) in virtual memory called “shm”. It appears mounted despite the fact that it is not a physical file system. We can apply permissions to secure shm. Look for the line in the fstab file with tmpfs and /shm. Replace 'defaults' with 'defaults,nosuid,noexec,nodev'. Save the file.

    You can now mount the /tmp file system.

     mount -o loop,nosuid,noexec,nodev /home/mntTmp /tmp
    

    Set read, write, execute permissions.

     chmod 777 /tmp
    

    Check for any mounting errors with the new boot settings.

     mount -o remount /tmp
    

    Move the /tmp backup which you created back to the mounted /tmp file system.

     mv /tmp_backup1/* /tmp/
    

    Remove the backup that you created.

     rm -Rf /tmp_backup1
    

    Backup up /var/tmp.

     cp -Rpf var/tmp /tmp_backup2
    

    Remove the /var/tmp directory.

     rm -Rf /var/tmp
    

    Create a symbolic link from /var/tmp to /tmp.

     ln -s /tmp /var/tmp
    

    Copy the /var/tmp backup to /tmp.

     mv /tmp_backup2/* /tmp/
    

    Remove the backup.

     rm -Rf /tmp_backup2
    

    Optional

    Depending on the specific software you are using, you may have a “tmp” directory in the home directory. You can remove this directory and create a symbolic link to /tmp. Care should exercised when doing this as it may break the software, particularly web hosting software.

     rm -Rf /home/tmp
     ln -s /tmp /home/tmp
    

    Need help?

    Do you need help setting up this on your own service?
    Please contact us and we’ll provide you the best possible quote!