This guide on how to secure you tmp directory is written for a CentOS 64Bit VPS running on OpenVZ.
Server administration is a constant battle with security, however there are a few key process that can be done to a server to decrease it’s attack footprint; one of these is to secure the temp directory on your server, which is actually a very simple process. So we will discuss two things here, first why do I need to secure my tmp directory, and finally how do I secure the tmp directory on my Linux server?
The tmp directory (/tmp) is an area on the Linux server that scripts can (as the name suggests) hold temporary files; normally you would expect this to be something such as cached images or database results. However malicious scripts might use this data store to hold some compromising code, with aim to execute it on the system and perhaps install some kind of root kit.
There is a fairly simple fix for this, you can still use the /tmp directory however by creating it as a standalone partition you separate it from the rest of your file system. This will then allow you to define some fairly low level and basic access permissions to block malicious script execution.
Onto to the how, most of my systems at the moment are OpenVZ based virtual servers, unfortunately due to the hypervisor this makes the process slightly more complicated, however just follow the guide below.
NOTE: You will be performing some file system changes here, which are very risky if done incorrectly or are incompatible with your OS. As always I take no responsibility for the results from running these commands, you should always have a full back up, test the process in a lab, and make sure you know what the commands actually do!
First thing that we need to do is open up the fstab file for editing, we are going to use nano for this, however any editor will do the job.
nano -w /etc/fstab
Now we need to create a new line, so navigate to the bottom of the file using your arrow key’s and append the following line, I recommend copying & pasting to ensure you don’t get it wrong.
none /tmp tmpfs nodev,nosuid,noexec 0 0
If you opened using nano you can now close using ctrl+x and then answering “y” to save.
So our changes have been applied to the configuration file, we just now need to remount the temp directory to make the changes become live on the system. Double check the changes before running this command:
mount -o remount /tmp
There is also another temp directory which is wise to secure (/var/tmp dir)
So make a backup (don’t skip this step, you need the files in a bit)
mv /var/tmp /var/tmpfiles
We can now make a link to map /tmp to /var/tmp
ln -s /tmp /var/tmp
Restore the files from the backup you made before
cp /var/tmpfiles/* /tmp/
Restore the files from the backup you made before, and make sure that the files in tmpfiles are now in tmp.
ls /var/tmpfiles ls /var/tmp
If it looks ok, you can remove the tmpfiles directory.
Rm -rf /var/tmpfiles
That’s it! You should now be a bit more secure!