mount-the-tmp-partition-with-noexec-and-nosuid-options

On Linux servers (especially web servers) it is recommended to create /tmp as separate partition and mount it with ‘noexec’ and ‘nosuid’ options. ‘noexec’ disables the executable file attribute within an entire filesystem, effectively preventing any files within that filesystem from being executed. ‘nosuid’ disables the SUID file-attribute within an entire filesystem. This prevents SUID attacks on the /tmp filesystem.

WARNING: Various services such as MySQL, Postgres, Plesk and Zend use /tmp as temporary storage. You must STOP these services before carrying out the procedure below. Failing to disable these services may cause major InnoDB database corruption.

1. Stop all services including Plesk, MySQL, Apache, Postgres, SpamAssassin and any other service utilizing the /tmp file system.

2. Copy all of the files in /tmp to a holding directory:

# cp -Rp /tmp /tmp-backup

3. If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add ‘noexec’ and ‘nosuid’ options for /tmp (see step 5). Then remount the partition:

# mount -o remount /tmp

If the tmp file is not a separate partition (check using ‘# df -h’) then you will need to follow steps 4 – 10 below. Else, skip to step 11.

4. If /tmp directory resides on / partition, it is better to create new partition for /tmp, for example with size 1 GB:

# cd /var
# dd if=/dev/zero of=tmpMnt bs=1024 count=1048576
# mkfs.ext3 -j /var/tmpMnt

5. Add the string into /etc/fstab:

# cp /etc/fstab /etc/fstab~
# echo “/var/tmpMnt /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0″ >> /etc/fstab

6. Mount new /tmp partition:

# mount -o loop,noexec,nosuid,rw /var/tmpMnt /tmp

7. /tmp should be chmod 0777:

# chmod 0777 /tmp

8. /tmp ownership should be root:root :

# chown root:root /tmp

9. Copy the old tmp files to the new tmp directory:

# cp -Rp /tmp-backup/* /tmp/
# rm -rf /tmp-backup

10. Remove and re-link old /var/tmp file:

# rm -rf /var/tmp/
# ln -s /tmp/ /var/tmp

11. Confirm that /tmp is mounted with noexec and nosuid:

# mount

Look for: “/dev/sdaX on /tmp type ext3 (rw,noexec,nosuid)”

12. Restart the services you previously shut down.

NOTE: This article was updated on April 5th 2011 to include a more optimized process.
http://www.md3v.com/mount-the-tmp-partition-with-noexec-and-nosuid-options

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s