By default, RS servers come with everything lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive.

Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

First off, I want to thank everyone for their help from this thread:

http://forum.rackshack.net/showthread.php?...&threadid=27470

I am simply compiling their advice into a how-to...

What we are doing it creating a file that we will use to mount at /tmp.



Create 100MB file for our /tmp partition. If you need more space, make count size larger.



Make an extended filesystem for our tmpMnt file





Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.




Mount the new /tmp filesystem with noexec




Copy everything back to new /tmp and remove backup




Now we need to add this to fstab so it mounts automatically on reboots.



You should see something like this:



At the bottom add



(Each space is a tab)

Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:



Yay! /tmp no longer has execute permissions :-D

Regards,

Steve

Ok. I'm gonna give this a shot on my cpanel server. Thanks for the howto.

http://forum.rackshack.net/showthre...&threadid=27470 this thread was great!!!!!!!!!!

Very usefull howto, thank you very much!

One question though -

At the bottom add


dev/tmpMnt /tmp ext2 loop,noexec,rw 0 0


What does the loop feature do?
Should we add these as well?

nosuid,noatime,nodev

Updated Main Tutorial

Steve - Why do you have defaults listed in your /tmp partition?

Updated Main Tutorial

Was just wondering if a reboot is needed after applying these changes or does it take affect rigth away ??

Thx's

i got the below error though

mke2fs 1.27 (8-Mar-2002)
/dev/tmpMnt is not a block special device.

how do i solve this?

i got a "continue anyway" after that message, saying yes just worked fine...no problems so far.

ahh yes.. didnt notice the continue option

With the mount command, it should happen right away. Adding it to fstab just tells the server to remount it on reboots.

To test it did happen, type:



You should see on the last line the /dev/tmpMnt partition. If you do, then your changes have taken effect (as they should have) without a reboot.

thx's

worked fine

Is there a way to reverse this.. apparently it causes problems with Cpanel

this is the error we get when logging into the Cpanel control panel now when displaying current disc quota usage:


this is what out fstab file looked like prior to the changes:

any help appreciated.

thx's

is there any way to remove or reverse this apparently it causes problems with servers with Cpanels and disc quotas.

Need help asap

thx's

Just so you dont get a false sense of security...

You can just do sh even if its in /tmp... noexec just stops the execute flag being set on the programs

is there away to restore the fstab back to it's original settings as it was prior to the changes??

Hi- I have cPanel also but no problems. It looks like you have a Dell dual xeon I believe? Anyways, you can just remove the line from /etc/fstab and do a umount /dev/tmpMnt

Steve

Steve,

Yes, we are on a Dell dual xeon.

Do I first remove the line in the fstab file, then do the command: umount /dev/tmpMnt or does it matter ??

thx's

I get this message when attempting to do umount /dev/tmpMnt

umount: /tmp: device is busy

There is probably another way- But the easiet would just be to do a reboot. You may have to remake your /tmp folder and chmod it 777. You may also have to create a mysql.sock symlink to /var/lib/mysql/mysql.sock with ln -s /var/lib/mysql/mysql.sock mysql.sock in /tmp

So I would edit the fstab file, removing the new line, reboot, then recreate the /tmp folder or remove the /tmp folder before rebooting, then recreate the /tmp folder ??

thx's

Edit fstab
Remove new line
Reboot with shutdown -r now
When you come back you should have no /tmp
Mkdir /tmp
chmod 0777 /tmp
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock

Thanks Steve, all is back to normal again. Everything appears to be back to normal.

Thank you for your help, much appreciated.

Mickalo

No problem- I'm unsure what caused the problem for you, worked wonderful on my cPanel system.

Not sure either, but I guess I'll leave it as it is for now... it's diplaying all the quotas properly now in the Cpanels... plus I couldn't change Disc Quotas in the WHM. I had to manuall edit the /etc/quota.conf then run the /scripts/fixquotas in order to make changes in an account disc quota, but now it's all working fine.

Thx's

Guys I've found the "nodev" option to give me errors in WHM when creating accounts

- here are the errors I encounter:

edquota: Device (/dev/tmpMnt) filesystem is mounted on isn't block or character device nor it's loopback or bind mount. Skipping.
No filesystems with quota detected.

Once I removed the "nodev" option from the /tmp partition in /etc/fstab the error went away, so it may be wise to remove it from your fstab if you have it there.

I'm also getting this message after account creation:

"No filesystems with quota detected."

Any suggestions?

Just ran /scripts/fixquotas I'll let you know if that fixed anything

Update: /scripts/fixquotas did fix my problem, thanks!

Again - Did not happen in my case. Odd, what version of cPanel you running? Do you have dual hd's? Are they scsi?

we just setup on a Dell Dual Xeon RAID5 w/(3) 73GBHD's. We are running Cpanel 6.4 at the moment, haven't upgraded yet do to all the problems with Exim and the Apache upgrades.

what kind of machine are you on ?? RH version ??

Can you briefly outline the steps you did to set this up ?

Thx's

P4 machine with single 80 gig hard drive.

WHM 7.2.0 cPanel 7.2.1-E46
RedHat 7.3 - WHM X v2.1

Simply followed SwirlDot's tutorial on the first page:
But did this for /etc/fstab

/dev/tmpMnt /tmp ext2 loop,nosuid,noexec,rw 0 0

Then rebooted my machine

Then ran /scripts/fixquotas

Seems to be working fine now

great thanks I'll give it another shot. Now that I know how to remove it if necessary.

One question, from SwrilDot instructions he says to type:

can this be replaced with this instead, adding the nosuid in the command line:
without causing any problems ??

thx's

Yes.

thx's

how can I double check to make sure this set up correctly...

mickalo, can you post a quick how-to for a dual xeon if you manage to get it working on yours? Thanks!

I just followed the steps on the very first post in this thread by SwirlDot, except changed one line from this:

to this


eveything else is the same.

Type df -h

If you see a line with /dev/tmpMnt in it, it is working correctly.

You may also want to try and reboot and check df -h again to see if it mounts on reboot with fstab, as it should.

Regards,

Steve

What then is the use of performing this /tmp mount procedure?

What does nodev do?

I followed the HOW-TO, everything went smoothly.

I created file a with the following code:

echo "HELLO WORLD!"

sh /tmp/a

will give me the output "HELLO WORLD!"

Why is that happening? I thought noexec should prevent this

noexec prevents the execute mode from being set...

You can run things with..

sh ./hello.sh

But, you cannot run things with just ./hello.sh

I believe this also prevents any compiled code from being run (I tried with just ./a.out but I don't know if there is another way for the C++ program I compiled??)

-Steve

I just did a small test

Created file hello.c



Compiled the c program

cc hello.c -o hello

Tried to execure ./hello but

bash: ./hello: Permission denied

So indeed compiled programs will not be executed. What about shell scripts? Should I just chmod sh to 700?

Thanks

Installed and working great but....

chkrootkit shows /dev/tmpmnt as an alias. Does anyone know if this is a problem or is there something to make it be non-aliased?

Thanks

anyone did this on PLESK machine? thanks...

Hi, it does not matter what control panel you are using.

This HOW-TO will work on any RedHat Linux system that RackShack offers as long as you have common utilities and root priveleges.

Oops, meant to edit the "add-on" posts I made because I put it all together in the first post. Accidently clicked quote instead of edit. Sorry.

Hello, I think /var/tmp and /dev/shm also has permission like "1777". We don't have to think about those directories?
I mean should we mount those directories with noexec?

Sorry if this is a dumb question.
Thanks

What does /dev/shm do? what is in it?

I'm not sure... It looks like nothing is in it, but it has something to do with kernel?

/var/tmp - just make it a link to /tmp.