A couple days ago a CentOS Linux server that I took over administration on had some mysterious files show up in the /tmp and /var/tmp directories. The files were placed in /tmp and /var/tmp by the apache user meaning there is some form of security hole in Apache, PHP, or one of the virtual hosts has an insecure application installed. Before looking into where the issue is I needed to lock things down so no applications could be executed from these directories in the future regardless of a security flaw in the future. Below are instructions on how to secure /tmp and /var/tmp.
Secure /tmp Directory On Linux:
- Generate 1GB File: Make sure that you have enough space on your hard drive using the df (df -kh) command. Then generate a one gigabyte file that will be used for the /tmp directory using the syntax below.
- [root@dev ~]# dd if=/dev/zero of=/dev/tmpDIR bs=1024 count=1000000
- 1000000+0 records in
- 1000000+0 records out
- 1024000000 bytes (1.0 GB) copied, 5.32903 seconds, 192 MB/s
As you can see in the above output it took the server 5.3 seconds to generate the 1GB file which will be used for both /tmp and /var/tmp once we are completed.
- Format File To EXT3: After the file is created you will need to format the file to ext3 or whatever filesystem you are using for the other directories on the Linux server using syntax similar to the below. The output is included below so you know that when the “Proceed anyway?” warning displays that you should type “y” for yes followed by enter to continue.
- [root@dev ~]# /sbin/mkfs.ext3 /dev/tmpDIR
- mke2fs 1.39 (29-May-2006)
- /dev/tmpDIR is not a block special device.
- Proceed anyway? (y,n) y
- Filesystem label=
- OS type: Linux
- Block size=4096 (log=2)
- Fragment size=4096 (log=2)
- 125184 inodes, 250000 blocks
- 12500 blocks (5.00%) reserved for the super user
- First data block=0
- Maximum filesystem blocks=260046848
- 8 block groups
- 32768 blocks per group, 32768 fragments per group
- 15648 inodes per group
- Superblock backups stored on blocks:
- 32768, 98304, 163840, 229376
- Writing inode tables: done
- Creating journal (4096 blocks): done
- Writing superblocks and filesystem accounting information: done
- This filesystem will be automatically checked every 24 mounts or
- 180 days, whichever comes first. Use tune2fs -c or -i to override.
- [root@dev ~]#
- Backup Current /tmp Directory: Now backup the current /tmp directory using the syntax below which will keep the same permissions for the files currently in /tmp.
- [root@dev ~]# cp -Rpf /tmp /tmpbak
- Mount New /tmp Directory: After backing up the data you can proceed with mounting the new /tmp directory with the syntax below.
- [root@dev ~]# mount -o loop,noexec,nosuid,rw /dev/tmpDIR /tmp
Notice we are mounting the /tmp directory with noexec and nosuid which will stop direct execution of binary files and not allow set-user-identifier or set-group-identifier bits to take effect respectively.
- Modify /tmp Directory Permissions: Use the syntax below to modify the permissions of the new /tmp directory on the CentOS Linux server.
- [root@dev ~]# chmod 1777 /tmp
- Copy Old /tmp Data: After the directory is mounted and the proper permissions are set you should copy the data from the old /tmp directory into the newly created /tmp directory. First cd into the /tmpbak directory and then copy all of the contents using the syntax below.
- [root@dev ~]# cd /tmpbak
- [root@dev ~]#
- [root@dev ~]# cp -Rpf * /tmp/
You may also need to run the same command again but instead of using just * use .* which will copy files beginning with a dot.
- Modify fstab: After verifying that the new /tmp directory is working properly you should add a line to the end of the /etc/fstab file so the new directory is mounted when the server reboots.
- /dev/tmpDIR /tmp ext3 loop,nosuid,noexec,rw 0 0
After finishing the above steps you should now test the /tmp directory to verify it is secure by copying an executable to /tmp and attempt to execute it. Once verified you should also follow the steps below to secure /var/tmp which can also be abused and cause issues on your server.
Secure /var/tmp On A CentOS Linux Server:
- Temporarily Move /var/tmp: Move the /var/tmp directory to a new location so you can create a symlink to the /tmp directory we already secured.
- [root@dev ~]# mv /var/tmp /var/tmpbak
- Create A Symbolic Link: Once the directory has been moved you can now create a symbolic link to the /tmp directory using the syntax below. This will make /var/tmp the same as /tmp while keeping the path integrity.
- [root@dev ~]# ln -s /tmp /var/tmp
- Copy /var/tmp Contents: Once the symbolic link is generated you should copy the contents of the /var/tmpbak directory to /var/tmp using the syntax below.
- [root@dev ~]# cp -pR /var/tmpbak/* /tmp
Make sure to verify all of the contents of the directory make it to the new directory.
Your /tmp and /var/tmp directories are now secured on your CentOS Linux server.
I also have this line in fstab:
tmpfs /dev/shm tmpfs defaults 0 0
And
df -h |grep tmp
shows
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/tmpDIR 962M 18M 896M 2% /tmp
Do I need to get rid of that line?
Hello Dae,
Nope. That line should stay put.
Thanks.
alex
Thanks for the reply!
I think you’ve got a mistake in the 6th step:
[root@dev ~]# cd /tmpbackup
I believe it should be cd /tmpbak
Also the last command (cp -pR /var/tmpbak/* /tmp) returned an error for me, saying that /var/tmpbak/* is empty (I checked with ls -all /var/tmpbak/, it was really empty).
Hello Dae,
I updated tmpback to tmpbak. Thanks for pointing that out. It is definitely possible that the directory is empty.
Thanks.
alex
Hi,
Nice howto! However, after every reboot, /dev/tmpDIR disappears. Why?
I’m using CentOS 6.3
Thanks
i am having the exact same thing happening
, after every reboot, /dev/tmpDIR disappears. Why?
I’m using CentOS 6.3 also
This article helped me a lot. I have one issue though –
/dev/tmpDIR disappears after restart and due to the fstab entry, system was hung at restart with the below error.
The disk drive for /tmp is not ready yet or not present.
Hi,
Long time for repost, but I really find this article very useful. Many thanks!
I have a question: When you generate the dd file to create the partition, from where does it takes the space to generate it?, because I have the following partition table:
#BASH
[root@heracles /]# df -kh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol04
33G 1.8G 30G 6% /
/dev/mapper/VolGroup00-LogVol00
19G 739M 18G 5% /home
/dev/mapper/VolGroup00-LogVol02
38G 3.1G 33G 9% /usr
/dev/mapper/VolGroup00-LogVol03
38G 1.5G 35G 5% /var
/dev/sda1 99M 26M 68M 28% /boot
tmpfs 1.5G 0 1.5G 0% /dev/shm
/dev/tmpDIR 962M 37M 877M 4% /tmp
/dev/varlogDIR 522M 200M 295M 41% /var/log
With more than enough disk space from the / partition, but when I try to create another file partition, it gives me the following message:
#BASH
dd: writing `/dev/varlogauditDIR’: No space left on device
Can you give me some advice about this? Thanks again!