Separate /tmp partition

[knopfler1980]

Hi all, thanks for letting me join the forum.

I would like to ask for help and I'm not sure if Security is the right section to post.

Since I was working in acens hosting company between 2011-2014 I learned that /tmp had security problems so in acens was created as a separated partition.

I'm running
#cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
#uname -a
Linux x.x.x 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

This is a virtual machine created in Google Cloud Platform and when I created it I didn't see any option to customize partitions when using an image to install, my server has actual partitions:
#df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 286M 0 286M 0% /dev
tmpfs 294M 0 294M 0% /dev/shm
tmpfs 294M 33M 261M 12% /run
tmpfs 294M 0 294M 0% /sys/fs/cgroup
/dev/sda2 30G 13G 18G 43% /
/dev/sda1 200M 12M 189M 6% /boot/efi
tmpfs 59M 0 59M 0% /run/user/1001

I extended / or sda2 partition to the rest of free disk I had so now I wonder, is it possible to take some of the 18G available space from / and create a /tmp partition? I see this tutorial but I don't know if it will work:
https://www.cyberciti.biz/faq/howto-mou ... uid-nodev/

but my partition is xfs while article is in ext4:
#mount | grep sda2
/dev/sda2 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Also, there are comments about is not working:
"Great writeup. Small error: When modifying the /etc/fstab, you don’t want to bind-mount the file /tmp because its not a directory. The line should actually look like:
/root/images/tmpfile.bin /tmp ext4 rw,noexec,nosuid,nodev 0 0"

"In addition to Ben’s comment, you may also need to add the loop option for the file system to mount correctly at boot. You may be getting errors such as:
mount: /root/images/tmpfile.bin is not a block device (maybe try `-o loop’?)

To fix, just change the line in /etc/fstab to:

/root/images/tmpfile.bin /tmp ext4 loop,rw,noexec,nosuid,nodev 0 0"

So I guess the steps I should take would be:
1)# mkdir -p /root/images/
2)# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
3)# mkfs.ext4 /root/images/tmpfile.bin -> In this case, should I change something to format in xfs or don't touch it because has been written in xfs format?
4)# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
5)# chmod 1777 /tmp
6)# mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp -> How to proceed here? My tmp directory is under /:
#ls -lrt
total 6291476
drwxr-xr-x. 2 root root 6 Apr 11 2018 srv
drwxr-xr-x. 2 root root 6 Apr 11 2018 opt
drwxr-xr-x. 2 root root 6 Apr 11 2018 mnt
drwxr-xr-x. 2 root root 6 Apr 11 2018 media
lrwxrwxrwx. 1 root root 7 Oct 14 2019 bin -> usr/bin
lrwxrwxrwx. 1 root root 8 Oct 14 2019 sbin -> usr/sbin
lrwxrwxrwx. 1 root root 9 Oct 14 2019 lib64 -> usr/lib64
lrwxrwxrwx. 1 root root 7 Oct 14 2019 lib -> usr/lib
drwxr-xr-x. 5 root root 70 Mar 22 12:49 home
drwxr-xr-x. 20 root root 278 Mar 22 16:21 var
-rw-------. 1 root root 6442450944 Mar 23 02:12 swap
drwxr-xr-x. 13 root root 187 Mar 23 19:11 usr
dr-xr-xr-x. 115 root root 0 Apr 25 22:58 proc
dr-xr-xr-x. 13 root root 0 Apr 25 22:58 sys
drwxr-xr-x. 17 root root 2920 Apr 25 22:58 dev
dr-xr-x---. 4 root root 246 Apr 28 03:06 root
dr-xr-xr-x. 5 root root 4096 May 1 01:10 boot
drwxr-xr-x. 33 root root 940 May 1 01:10 run
drwxr-xr-x. 98 root root 8192 May 1 01:13 etc
drwxrwxrwt. 55 root root 4096 May 1 01:26 tmp
7)# vi /etc/fstab
8)/root/images/tmpfile.bin /tmp xfs rw,noexec,nosuid,nodev,bind 0 0 (NOTE I changed here ext4 for xfs in tutorial)
9)/tmp /tmp none rw,noexec,nosuid,nodev,bind 0 0(NOTE I changed here /var/tmp for /tmp that is where my tmp is mountedl)

I suggested Google Cloud engineering support to modify this but they don't want it, any new sysadmin in Linux or Centos that hasn't know idea about security hardening could have issues for not having tmp in separate partition with noexec, nosuid, And nodev.

Thanks for your help

[TrevorH]

Or, alternatively, run systemctl enable tmp.mount and set /tmp up on tmpfs then edit the unit file to set your options as required. CentOS 7 seems to default to Options=mode=1777,strictatime and CentOS 8 to Options=mode=1777,strictatime,nosuid,nodev

[knopfler1980]

Or, alternatively, run systemctl enable tmp.mount and set /tmp up on tmpfs then edit the unit file to set your options as required. CentOS 7 seems to default to Options=mode=1777,strictatime and CentOS 8 to Options=mode=1777,strictatime,nosuid,nodev

1) Sorry asking for this but when you say set /tmp up on tmpfs you mean to add it into /etc/fstab as tmpfs?

2) When you say edit the unit file and set options you mean add at the end of /etc/fstab /tmp partition noexec,nosuid,nodev,bind 0 0?

3) Do you think this configuration is advisable? By default Google Cloud Platform virtual machines images doesn't have this partitioning system and I opened a Feature Request because I think this would default secure all Centos images deployment but they seem not like much idea as it's supposed to be customizable at installation (options that I didn't found)

Thanks in advance, regards and have a nice day!!!!

[TrevorH]

No, you don't need to touch fstab for this. Use systemctl cat tmp.mount to see its current contents. You can make changes to the unit file using override files. So, here on CentOS 8 (works exactly the same on 7) I did this (note I have a bash alias sc=/usr/bin/systemctl):

Code: Select all

[root@centos8 ~]# sc cat tmp.mount
# /usr/lib/systemd/system/tmp.mount
#  SPDX-License-Identifier: LGPL-2.1+
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Temporary Directory (/tmp)
Documentation=man:hier(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev

# Make 'systemctl enable tmp.mount' work:
[Install]
WantedBy=local-fs.target
[root@centos8 ~]# sc edit tmp.mount ## now you're in vim so add the following two lines and save
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec
[root@centos8 ~]# sc cat tmp.mount
# /usr/lib/systemd/system/tmp.mount
#  SPDX-License-Identifier: LGPL-2.1+
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Temporary Directory (/tmp)
Documentation=man:hier(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev

# Make 'systemctl enable tmp.mount' work:
[Install]
WantedBy=local-fs.target

# /etc/systemd/system/tmp.mount.d/override.conf
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec
[root@centos8 ~]# sc is-enabled tmp.mount
disabled
[root@centos8 tmp]# sc start tmp.mount
[root@centos8 tmp]# df -m /tmp
Filesystem                                 1M-blocks    Used Available Use% Mounted on
tmpfs                                           1499       0      1499   0% /tmp
[root@centos8 tmp]# grep /tmp /proc/mounts
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,noexec 0 0

So, that's what it looked like before, then I created an override file and set the Options to include noexec and saved it, showed what it looked like after, checked to see if it's enabled (it isn't by default and you need to enable it to have it start at boot), started it and showed df and the line from /proc/mounts to show that it did set noexec.

[knopfler1980]

Thanks a lot, this is totally new for me!! https://media.giphy.com/media/vCKC987OpQAco/giphy.gif

Have a nice day

[knopfler1980]

One last question, is there any other partitions should be separated?

In this link https://serverfault.com/questions/58040 ... llow-parti talks about /home to prevent possibilities of privilege escalation through hard links based attack.

Thanks in advance.

Regards

[jlehtone]

One last question, is there any other partitions should be separated?

I don't know about "should", except that to get a system boot can require something (for example, your Google image has the ESP.)

Some partitioning is convenient to have:
https://access.redhat.com/documentation ... scheme-x86

Bit later in that document it is pointed out that some directories practically must be in the root volume.

[knopfler1980]

One last question, is there any other partitions should be separated?

I don't know about "should", except that to get a system boot can require something (for example, your Google image has the ESP.)

Some partitioning is convenient to have:
https://access.redhat.com/documentation ... scheme-x86

Bit later in that document it is pointed out that some directories practically must be in the root volume.

I have checked redhat documentation, it says that home should be in a different partition because of:"This will enable you to upgrade or reinstall Red Hat Enterprise Linux without erasing user data files", well, in this case, with no security problems, I won't have to do it because if I need to reinstall I use virtual machine snapshots (that I store just 1 copy to avoid google cloud platform charges and every important configuration I make, snapshot and reflect it in description image which has a history of all server changes).

I worried because when I was working in acens, /tmp was separated because of security problems, now that I see /home is for reinstalling, I don't need to change anything except /tmp partition.

Thanks a lot for your time and link, I appreciate it

[jlehtone]

I won't have to do it because if I need to reinstall I use virtual machine snapshots (every important configuration I make, snapshot and reflect it in description image which has a history of all server changes).

Snapshot is a copy of the entire volume, is it not?

If you make snapshot, remove VM, and create new VM from snapshot, then that is not a reinstall. It is mere continuation from restored backup dump.

When one "installs a machine", one prepares filesystems (a configuration choice), installs packages (what to install is a configuration choice), configures installed software, and then adds user data.

If you do a "fresh install", the OS packages and their configuration is likely to change. You might have CentOS 7 today, but install Ubuntu 20.04 LTS or CentOS 8 tomorrow. You can't do that from snapshot, but you could do it from suitably abstract set of notes.

Even "user data" is split to various types. The authentication&authorization system of OS requires uid/gid/etc. Desktop preferences are files that are linked to version of desktop.

Then there is "regular user data", the documents. Documents should not change on system updates.


There are OS files, configuration, and documents. They should be treated differently. OS files you "get back" by running installer. Configuration you "apply". Documents you "transfer".

[knopfler1980]

I won't have to do it because if I need to reinstall I use virtual machine snapshots (every important configuration I make, snapshot and reflect it in description image which has a history of all server changes).

Snapshot is a copy of the entire volume, is it not?

If you make snapshot, remove VM, and create new VM from snapshot, then that is not a reinstall. It is mere continuation from restored backup dump.

You are totally right, I expressed it wrong, it's a snapshot restore maybe?

When one "installs a machine", one prepares filesystems (a configuration choice), installs packages (what to install is a configuration choice), configures installed software, and then adds user data.

If you do a "fresh install", the OS packages and their configuration is likely to change. You might have CentOS 7 today, but install Ubuntu 20.04 LTS or CentOS 8 tomorrow. You can't do that from snapshot, but you could do it from suitably abstract set of notes.

Well, probably I will have to do it in the future when Centos 7 doesn't have support, in that case I will need a fresh install and I don't know how to migrate configurations from one server to another, probably installing the same apps and uploading server configurations if there are no drastic changes in the own apps. And about filesystems, when I deployed the image I didn't find at that moment any option to personalize filesystems (I'm not blaming Google for it, probably I did it a bit fast). At the moment, I suggested Google to add their own network range to SSH/RDP firewall protocols allow as they have their own console to connect server (at least with ssh) and I did the same about /tmp filesystem but that one I think won't be considered.

Even "user data" is split to various types. The authentication&authorization system of OS requires uid/gid/etc. Desktop preferences are files that are linked to version of desktop.

Then there is "regular user data", the documents. Documents should not change on system updates.


There are OS files, configuration, and documents. They should be treated differently. OS files you "get back" by running installer. Configuration you "apply". Documents you "transfer".

Well, in my case system shouldn't have many users that could use LDAP for instance but it will have them via Wordpress so all those settings I would leave for a Wordpress migration plugin but if I had users, authorization, profiles and documents would be a migration which involved a fresh install as I don't have a newer centos server version configured as the one I'm doing at the moment, and also a migration, probably I could find a tool that could help me with the process but again, you are right, it's not the same install than restore from snapshot.

Thanks for your correction. I appreciate it.

Regards

[/quote]