Mounting /tmp with nodev,nosuid,noexec

  • Hi,


    I want to tweek the security of my OMV system by protecting /tmp partition to not be allowed to run arbitrary binaries.


    My current /etc/fstab entry for tmp partition is:


    Code
    $ cat /etc/fstab | grep "/tmp"
    tmpfs           /tmp            tmpfs   defaults        0       0


    ... and is mounted like this:


    Code
    $ mount | grep "/tmp"
    tmpfs on /tmp type tmpfs (rw,relatime)


    All I want to do is to add nodev, nosuid and noexec to mount options, like this:

    Code
    tmpfs           /tmp            tmpfs   defaults,nodev,nosuid,noexec        0       0


    Next step, link /var/tmp to /tmp:

    Code
    $ rmdir /var/tmp
    $ cd /var
    $ ln -s /tmp



    Do you know if these configuration changes would cause any problems in OMV application ou any other OS component?


    Thanks in advance,
    MrWalterWhite

    OpenMediaVault 2.2.14 (Stone burner)
    VMware ESXi 5.5U3 (build-5230635) | HP ProLiant MicroServer Gen8 | Intel Xeon CPU E3-1265L V2 @ 2.50GHz | 16GB RAM | 250GB SSD + 4x 3TB HDD

  • Hi,


    Based on the above directions, here is my final configuration (in case others would be interested).


    1. Change /etc/fstab to include nodev, nosuid and noexec mount options in /tmp partition:

    Code
    $ nano /etc/fstab
    tmpfs           /tmp            tmpfs   defaults,nodev,nosuid,noexec        0       0


    2. Delete /var/tmp and link it to /tmp:

    Code
    $ rmdir /var/tmp
    $ cd /var
    $ ln -s /tmp


    3. Remount /tmp partition with new options and check it:

    Code
    $ mount -o remount /tmp
    $ mount | grep "/tmp"
    tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)


    4. Apt-get sometimes executes scripts from /tmp, so create a file called 30tmpdir and place it into /etc/apt/apt.conf.d/ with the following contents:


    5. You might want to install the libpam-tmpdir package so that temporary files are organized into their own user directories:

    Code
    $ apt-get install libpam-tmpdir


    6. And now you can run pam-auth-update to make sure that the module is enabled (in my case selected both "Unix authentication" and "per-user temporary directories"):

    Code
    $ pam-auth-update


    Bye,
    MrWalterWhite

    OpenMediaVault 2.2.14 (Stone burner)
    VMware ESXi 5.5U3 (build-5230635) | HP ProLiant MicroServer Gen8 | Intel Xeon CPU E3-1265L V2 @ 2.50GHz | 16GB RAM | 250GB SSD + 4x 3TB HDD

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!