On Linux systems there are a few temporal directories used for storage, like /tmp, /var/tmp and /dev/shm. This directories are used to store temporary files from different services such as Apache, MySQL, etc.
However, sometimes this directories are also used by crackers and script kiddies to store malicious/malware and virus executables. This malicious scripts can be an open door to send spam, exploit the system as root or spread viruses over the network.
This tutorial will show you how to secure /tmp partition, and also the /dev/shm directory.
The /tmp directory
The /tmp directory is a temporal directory that stores information about website sessions, downloaded files, service sockets, etc. And is often used by malicious attackers to store their malware & spam scripts.
What is /dev/shm?
/dev/shm is just a portion of the system used as shared memory, it’s used to pass data between apps and processes, this is very useful to speed up things on Unix/Linux systems. And of course, is also used by attackers.
Backup your /etc/fstab configuration
Before we start, let’s backup our fstab file in case something goes wrong:
cp /etc/fstab /etc/fstab.bak -fv
How to secure /tmp partition on cPanel servers
Login to your cPanel box as root and run this command:
/scripts/securetmp
Answer yes to all the questions. The output should be something like:
Would you like to secure /tmp & /var/tmp at boot time? (y/n) y Would you like to secure /tmp & /var/tmp now? (y/n) y Securing /tmp & /var/tmp
Then set propper permissions for the /tmp directory:
chmod 1777 /tmp
Now your /etc/fstab file should contain two new secured partitions, just ensure they look like this:
/tmp /var/tmp ext3 loop,noexec,nosuid,rw 0 0 /usr/tmpDSK /tmp ext3 loop,noexec,nosuid,rw 0 0
After you are doing securing /tmp reboot your box to apply changes:
shutdown now -rf
How can I secure /dev/shm directory?
Edit /etc/fstab and delete your /dev/shm configuration. Then add this line:
none /dev/shm tmpfs noexec,nosuid 0 0
This will secure your /dev/shm directory for the next system boot. If you need to apply the changes right now, just umount and mount the directory again:
umount /dev/shm mount /dev/shm
Understanding noexec and nosuid
As you saw on the configuration, we secured /tmp and /dev/shm partitions by adding noexec and nosuid parameters. But what does this mean exactly?
noexec: this flag doesn’t allow executin of binaries inside the partition.
nosuid: is use to disallow the set-user-identifier / set-group-identifier
bits to take effect on the selected partition.
Conclusion
For now you have a more robust /tmp and /dev/shm partitions. However, while this seems to be far more secure than the default settings on /etc/fstab, there are still ways to upload and execute scripts inside /tmp, we will dig into that later.
Learn more about temporary directories: