CentOS OpenVZ – how to secure tmp directory

CentOS
CentOS Logo

This guide on how to secure you tmp directory is written for a CentOS 64Bit VPS running on OpenVZ.

Server administration is a constant battle with security, however there are a few key process that can be done to a server to decrease it’s attack footprint; one of these is to secure the temp directory on your server, which is actually a very simple process. So we will discuss two things here, first why do I need to secure my tmp directory, and finally how do I secure the tmp directory on my Linux server?

The tmp directory (/tmp) is an area on the Linux server that scripts can (as the name suggests) hold temporary files; normally you would expect this to be something such as cached images or database results. However malicious scripts might use this data store to hold some compromising code, with aim to execute it on the system and perhaps install some kind of root kit.

There is a fairly simple fix for this, you can still use the /tmp directory however by creating it as a standalone partition you separate it from the rest of your file system. This will then allow you to define some fairly low level and basic access permissions to block malicious script execution.

Onto to the how, most of my systems at the moment are OpenVZ based virtual servers, unfortunately due to the hypervisor this makes the process slightly more complicated, however just follow the guide below.

NOTE: You will be performing some file system changes here, which are very risky if done incorrectly or are incompatible with your OS. As always I take no responsibility for the results from running these commands, you should always have a full back up, test the process in a lab, and make sure you know what the commands actually do!

First thing that we need to do is open up the fstab file for editing, we are going to use nano for this, however any editor will do the job.

nano -w /etc/fstab

Now we need to create a new line, so navigate to the bottom of the file using your arrow key’s and append the following line, I recommend copying & pasting to ensure you don’t get it wrong.

none /tmp tmpfs nodev,nosuid,noexec 0 0

If you opened using nano you can now close using ctrl+x and then answering “y” to save.

So our changes have been applied to the configuration file, we just now need to remount the temp directory to make the changes become live on the system. Double check the changes before running this command:

mount -o remount /tmp

There is also another temp directory which is wise to secure (/var/tmp dir)
So make a backup (don’t skip this step, you need the files in a bit)

mv /var/tmp /var/tmpfiles

We can now make a link to map /tmp to /var/tmp

ln -s /tmp /var/tmp

Restore the files from the backup you made before

cp /var/tmpfiles/* /tmp/

Restore the files from the backup you made before, and make sure that the files in tmpfiles are now in tmp.

ls /var/tmpfiles
ls /var/tmp

If it looks ok, you can remove the tmpfiles directory.

Rm -rf /var/tmpfiles

That’s it! You should now be a bit more secure!

Technology enthusiastic with many ongoing online projects one of which is this personal blog PingBin. While also working full time within a data center designing and maintaining the network infrastructure.

3 comments On CentOS OpenVZ – how to secure tmp directory

  • Thanks for the tutorial! Very helpful.

    A quick question if I may – how do I specify the size of the tmp mount?

    My vps has 10GB, and when I tried the method above, df -h shows:

    Filesystem Size Used Avail Use% Mounted on
    /dev/simfs 10G 2.5G 7.6G 25% /
    none 128M 0 128M 0% /tmp

    I would like to increase the size of /tmp if possible.

    Thanks!

  • Great guide. Thanks for sharing

  • @adrian; You can set the mount size in fstab, simply by adding “size=512m” to the options field of your /tmp mount.

    e.g.

    none /tmp tmpfs nodev,nosuid,noexec,size=512m 0 0

    @Sherman; Thanks! 🙂

Leave a reply:

Your email address will not be published.