Saturday, October 29, 2005

Mounting /tmp with noexec

These commands will help you in creating a /tmp partition with noexec

cd /dev
# 100MB file for /tmp
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
# extended filesystem
mke2fs /dev/tmpMnt
# backup
cp -p -r /tmp /home/backup/tmp
# if you have mysql.sock file, recreate the symbolic link for it
cd /
cp -R /tmp /tmp_backup
# mount with noexec
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 0777 /tmp
# copy stuff back
cp -R /home/backup/tmp/* /tmp/
rm -rf /tmp_backup
# add to fstab so it can reboot
#vi /etc/fstab
# /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
# now nothing should run
# bash: ./binary-program: Permission denied

You may get the following errors

mke2fs 1.27 (8-Mar-2002)
/dev/tmpMnt is not a block special device. If so, try "continue anyway"

No need to reboot. Confirm the mount by using

df -h

On Dell dual Xeon servers, trying above will give you:

Disk usage quota:
Device (/dev/tmpMnt) filesystem is mounted on isn't block or
character device nor it's loopback or bind mount. Skipping.
quota: Quota file not found or has wrong format. 0.00 Megabytes

To unmount, undo the changes in /etc/fstab and execute

umount /dev/tmpMnt

If you get a device is busy message, remake your /tmp folder and give it executable permissions (not recommended). Then, depending on your server configuration, create a mysql.sock symlink to /var/lib/mysql/mysql.sock using

ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock

Note: Even with a noexec on /tmp , a program can still get executed by invoking it using

sh <script> syntax. noexec protects a hacker from setting the execute permission bit on a script.

RANDOM TIP: Quota Config: /etc/quota.conf



Post a Comment

Links to this post:

Create a Link

<< Home