David Kitchen

Avatar

Just another SharePoint developer blogging

Jan 20, 2010

Securing /tmp and /var/tmp on Ubuntu whilst keeping apt-get working

Securing /tmp and /var/tmp , not the highest of priority but it seems like a fair few script kiddies like attacking this via Apache, so whilst this doesn’t equate to “secure” it does help guard against a specific attack.

This guide was written for Ubuntu 9.10 Karmic Koala, but I’m sure it will work on most Linux with possibly only minor adjustments.

Let’s start with /tmp:

Create a 100 MB file for our /tmp partition in /dev. bs = block size and 1024 is 1KB, so count is 102400 as (total size / block size = count) and 100MB / 1024 = 102,400.

cd /
dd if=/dev/zero of=tmpMnt bs=1024 count=102400

Make an extended partition for our tmp file:

/sbin/mkfs -t ext3 /tmpMnt

Back up your current /tmp directory:

cp -R /tmp /tmp_backup

Mount the new /tmp filesystem:

mount -o loop,noexec,nosuid,nodev,rw /tmpMnt /tmp
chmod 1777 /tmp

Copy everything back to new /tmp and remove backup:

cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots:

vim /etc/fstab

You should see something like this:

# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/xvda / ext3 noatime,errors=remount-ro 0 1
/dev/xvdb none swap sw 0 0
192.168.127.127:/files /files nfs rsize=8192,wsize=8192,timeo=14,intr,nolock

At the bottom add:

/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0

So that the file now looks something like this (everything above the last line is what was already in the file):

# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/xvda / ext3 noatime,errors=remount-ro 0 1
/dev/xvdb none swap sw 0 0
192.168.144.130:/files /files nfs rsize=8192,wsize=8192,timeo=14,intr,nolock
/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0

Save and exit vim (:wq) and you’re done with /tmp.

Securing /var/tmp, just symlink it to /tmp:

rm -fR /var/tmp
ln -s /tmp /var/tmp

Finally to ensure apt-get continues to work, you will want to edit:

vim /etc/apt/apt.conf.d/70debconf

And add to the bottom:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

That will remount /tmp with exec permissions for the duration of an apt-get operation and then will remove the permissions again once done.
References:
http://www.webhostgear.com/34.html
http://www.directadmin.com/forum/showthread.php?t=12323
http://www.debian-administration.org/article/Making_/tmp_non-executable
http://www.mail-archive.com/debian-isp@lists.debian.org/msg10575.html

2 Comments, Comment or Ping

  1. Hugh

    Thanks, this is a good idea. I think many overestimate the default security in Ubuntu. Any methods of enhancing security are very welcome.

    Jul 31st, 2010

  2. John

    /var/tmp should not be symlinked to /tmp

    According to the filesystem specs, applications can rely on files in /var/tmp to be persistent across reboots, while files in /tmp may be removed on reboot.

    Aug 17th, 2010

Reply to “Securing /tmp and /var/tmp on Ubuntu whilst keeping apt-get working”

Pcubed

  • Pcubed - Program Planning Professionals

SharePoint Blogroll

Subscribe

Stay updated on my meandering thoughts & activities via RSS (Syndicate).

Meta