Securing /tmp and /dev/shm is a nice practice. Lots of programs and scripts have access in there. So you don’t want code, malicious or not to run in there, trying to get root permissions or snoop on you.
Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.
First because I forget, let’s bind /var/tmp to /tmp in /etc/fstab
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Now we deal with /tmp only.
Update 28/03/2015: That practice was for many unstable and criticized also by many. Unfortunately for them, I was vindicated when even OpenBSD in the upcoming version does the same for the very same reasons. Security.
- /var/tmp is now a symbolic link to /tmp, as a first step towards reducing the “fill it up” attack surface against the /var partition.
If it’s a separate partition we only need a
/tmp ext4 defaults,nodev,nosuid,noexec 1 2
If it’s not, we will create an image for it. The example is for 4GB, tune it as you like.
# mkdir -p /root/images/
# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
# mkfs.ext4 /root/images/tmpfile.bin
# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
# chmod 1777 /tmp
Modify /tmp line as follows:
/root/images/tmpfile.bin /tmp ext4 loop,rw,noexec,nosuid,nodev 0 0
You should to the same for shm:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Edit your /etc/fstab:
# nano /etc/fstab
“none /dev/shm tmpfs defaults,rw 0 0” to
“none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”
# mount -o remount /dev/shm
It should be fine now.