[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 652
  • Last Modified:

/tmp permissions

can i stop executables from /tmp directory without breaking php or other software issues

i wanted to have tmp as a seperate partition but i already have my partitions created and tried parted software and i cant add a partition since no free space exists.
anyway i dont really want to resize my partitions but i'd be willing to just stop executables from running in /tmp folder i keep having people hack right through....


drwxrwxrwt    6 root jason 339968 Apr 13 15:26 tmp

above was what it was set at and now its

drwxrwx---    6 root jason 339968 Apr 13 15:28 tmp

how do i change so its not executable and no one can change it not even root?
0
aot2002
Asked:
aot2002
  • 9
  • 6
  • 3
  • +1
1 Solution
 
ppfoongCommented:

Try this as root to create 100MB of /tmp to be mounted noexec:

cd /dev
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
/sbin/mke2fs /dev/tmpMnt
cd /
cp -R /tmp /tmp.bak
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp
cp -R /tmp.bak/* /tmp/
rm -rf /tmp.bak

Edit your /etc/fstab, add in:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

0
 
XoFCommented:
Instead of using a loopback-file, I'd suggest using a tmpfs for mounting a shred memory FS on /tmp, so that /tmp completely resides in virtual memory.
To do so, add the following to /etc/fstab:

none /tmp tmpfs noexec,nosuid,rw 0 0


the default size for tmpfs will be half of your RAM size. To specify another sizing, use the size=nbytes option, e.g.:

none /tmp tmpfs noexec,nosuid,rw,size=104857600 0 0 # 100MB of tmp-space


HTH,
-XoF-
0
 
XoFCommented:
ppfoong:
guess, it's perhaps not the best idea to place a loopback file in /dev, since /dev might be a mounted udev or devfs, so you most likely won't have the loopback file after a reboot.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ppfoongCommented:

Well, if your server has a lot of memory to spare out for /tmp, can try that.

0
 
XoFCommented:
actually the question is not, whether you have lots of RAM or not. tmpfs resides in _virtual_ memory, which is RAM + swapspace. BTW, mounting shmfs on /tmp is standard on several *NIXes, e.g. Solaris.
0
 
aot2002Author Commented:
can i just mount tmp on a usb drive??
i got a 512mb usb drive
0
 
aot2002Author Commented:
flash stick anyways 512mb i dont use it at all
0
 
XoFCommented:
I won't use a USB drive for several reasons:
- it's rather slow
- depending on your device filesystem (devfs/udev/plain files), the device name may change during bootup when further USB devices are attached to the system. If you nevertheless really want to use an usb drive, I'd recommend using e2fs labels instead of device names in /etc/fstab:
Assume your USB drive is recognized as /dev/sda1, then you'd do
e2label /dev/sda1 tmpdev

then /etc/fstab would have to contain the line
LABEL=tmpdev /tmp ext3 noexec,nosuid,rw 0 0


HTH,

-XoF-
0
 
aot2002Author Commented:
ok forget the usb then too slow

well how does one make a partition when tmp was never created as a seperate partition on my main drive
0
 
XoFCommented:
- init S
- create the new partition & filesystem if needed
- edit /etc/fstab as suggested in several previous posts
- mv /tmp /oldtmp
- mkdir /tmp
- mount /tmp
- mv /oldtmp/* /tmp
- init 5
0
 
aot2002Author Commented:
please instruct how to create the new partition or what way i can do this?
they broke in again trying to execute ICE and .font
0
 
aot2002Author Commented:
i mean is there a certain partitioning tool you want me to use
0
 
ppfoongCommented:

I have already provided the exact commands to do so. See above.....

0
 
aot2002Author Commented:
you mean just adding

none /tmp tmpfs noexec,nosuid,rw 0 0

will allow it to create the tmp in memory?
0
 
aot2002Author Commented:
what happens if i run out of space in tmp?
or should i run a cron script to remove files every half hour?
0
 
XoFCommented:
> none /tmp tmpfs noexec,nosuid,rw 0 0
> will allow it to create the tmp in memory?

Yes. Just make sure that /tmp is empty before as described in my short instruction above.

> what happens if i run out of space in tmp?

well, then you won't be be able to create files in /tmp anymore... But that's a problem you have to face in each case. So your strategy heavily depends on the circumstances you face:
- how often will the system be rebooted
- who uses /tmp
- what is /tmp used for

Normally, /tmp is mainly used for really temporary data, such as a webserver's session store, daemon sockets, other session information, perhaps user testing data.
If a rapid filling /tmp really is a threat to consider, then a cronjob which removes (user created) files which are older than x days, might be a considerable strategy.


regards,
-XoF-
0
 
aot2002Author Commented:
i changed the web server session path to /tmp/sess

then made that path very restricted with no executing permissions
currently though sendmail   needs 1777 permiss on /tmp
i myself think this is not the best.....i wish i knew how to change sendmail /tmp to a new location
0
 
aot2002Author Commented:
thanks works well
0
 
PsiCopCommented:
The followup to this Question is -->http://www.experts-exchange.com/Networking/Email_Groupware/Sendmail/Q_21848953.html

I don't think sendmail uses /tmp at all. See the followup.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 9
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now