How to Secure /tmp and /var/tmp on your VPS

Posted on May 25, 2018 at 10:24 pm

It is very important to disable scripts execution on /tmp and /var/tmp. This way an attacker would not be able (at least not that easily) to become root by executing local root exploits or other bash scripts. We will use the flag “noexec” to disable execution of bash scripts on temp folders.

* This guide is for a VPS, we assume /tmp is not a partition *

1) Secure /tmp

Create a 1GB file for our /tmp partition:

dd if=/dev/zero of=/var/tmpMountFile bs=1024 count=1000000

Make the new filesystem as ext4:

mkfs.ext4 /var/tmpMountFile

Mount the new /tmp filesystem with noexec:

mount -o rw,nodev,nosuid,noexec /var/tmpMountFile /tmp

Set correct permissions for /tmp:

chmod 1777 /tmp

Add this line to /etc/fstab so it mounts on reboot:

/var/tmpMountFile /tmp ext4 rw,nodev,nosuid,noexec 0 0

2) Secure /dev/shm

Make sure /dev/shm has noexec.

Edit /etc/fstab and add this line (or make sure it is present):

tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec 0 0

3) Secure /var/tmp

Backup /var/tmp content to /var/tmpbak:

mv /var/tmp /var/tmpbak

Create a symbolic link to /tmp:

ln -s /tmp /var/tmp

Copy the old /var/tmp content to /tmp:

cp -R /var/tmpbak/* /tmp/

Remove the /var/tmp backup folder:

rm -rf /var/tmpbak

4) Fix for apt-get install

Since /tmp has noexec you need to edit:

/etc/apt/apt.conf.d/70debconf

And add these two lines:

DPkg::Pre-Invoke {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

5) Final thought

Now you just need to reboot the VPS.

Receive updates via email

Other Posts

Updated Posts