Mounting /tmp with nodev,nosuid,noexec

    • OMV 1.0
    • Mounting /tmp with nodev,nosuid,noexec

      Hi,

      I want to tweek the security of my OMV system by protecting /tmp partition to not be allowed to run arbitrary binaries.

      My current /etc/fstab entry for tmp partition is:

      Source Code

      1. ​$ cat /etc/fstab | grep "/tmp"
      2. tmpfs /tmp tmpfs defaults 0 0


      ... and is mounted like this:

      Source Code

      1. ​$ mount | grep "/tmp"
      2. tmpfs on /tmp type tmpfs (rw,relatime)


      All I want to do is to add nodev, nosuid and noexec to mount options, like this:

      Source Code

      1. ​tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0


      Next step, link /var/tmp to /tmp:

      Source Code

      1. ​$ rmdir /var/tmp
      2. $ cd /var
      3. $ ln -s /tmp



      Do you know if these configuration changes would cause any problems in OMV application ou any other OS component?

      Thanks in advance,
      MrWalterWhite
      OpenMediaVault 2.2.14 (Stone burner)
      VMware ESXi 5.5U3 (build-5230635) | HP ProLiant MicroServer Gen8 | Intel Xeon CPU E3-1265L V2 @ 2.50GHz | 16GB RAM | 250GB SSD + 4x 3TB HDD
    • Yes. There are some problems regarding apt-get in Debian, they sometimes use that folder to execute scripts. Take a look here to circumvent around that.

      https://www.debian-administration.org/article/57/Making_/tmp_non-executable

      edit: this one is more up to date deb-admin.com/secure-your-tmp-partition/
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Hi,

      Based on the above directions, here is my final configuration (in case others would be interested).

      1. Change /etc/fstab to include nodev, nosuid and noexec mount options in /tmp partition:

      Source Code

      1. $ nano /etc/fstab
      2. tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0


      2. Delete /var/tmp and link it to /tmp:

      Source Code

      1. $ rmdir /var/tmp
      2. $ cd /var
      3. $ ln -s /tmp


      3. Remount /tmp partition with new options and check it:

      Source Code

      1. $ mount -o remount /tmp
      2. $ mount | grep "/tmp"
      3. tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)


      4. Apt-get sometimes executes scripts from /tmp, so create a file called 30tmpdir and place it into /etc/apt/apt.conf.d/ with the following contents:

      Source Code

      1. $ nano /etc/apt/apt.conf.d/30tmpdir
      2. DPkg::Pre-Invoke
      3. {
      4. "mount -o remount,exec /tmp";
      5. };
      6. DPkg::Post-Invoke
      7. {
      8. "mount -o remount /tmp";
      9. };
      Display All


      5. You might want to install the libpam-tmpdir package so that temporary files are organized into their own user directories:

      Source Code

      1. $ apt-get install libpam-tmpdir


      6. And now you can run pam-auth-update to make sure that the module is enabled (in my case selected both "Unix authentication" and "per-user temporary directories"):

      Source Code

      1. $ pam-auth-update


      Bye,
      MrWalterWhite
      OpenMediaVault 2.2.14 (Stone burner)
      VMware ESXi 5.5U3 (build-5230635) | HP ProLiant MicroServer Gen8 | Intel Xeon CPU E3-1265L V2 @ 2.50GHz | 16GB RAM | 250GB SSD + 4x 3TB HDD
    • thx for the tutorial. Volker should think about including this to the main core.

      BTW: nice Avatar ;)
      "Glowing days. Don't cry because they are over. Smile because they happened." - Confucius

      Server: 1x 32GB SSD (system) - 5x 2TB Data - 1x 2TB Snapraid-Parity - latest OMV 1.x
      No Support through PM
      Tutorials --- Howto install OMV-Extras --- Upgrade/Update-Problems --- If autoshutdown doesn' -work