Separate /tmp partition
Posted: 2020/04/30 23:35:32
Hi all, thanks for letting me join the forum.
I would like to ask for help and I'm not sure if Security is the right section to post.
Since I was working in acens hosting company between 2011-2014 I learned that /tmp had security problems so in acens was created as a separated partition.
I'm running
#cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
#uname -a
Linux x.x.x 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
This is a virtual machine created in Google Cloud Platform and when I created it I didn't see any option to customize partitions when using an image to install, my server has actual partitions:
#df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 286M 0 286M 0% /dev
tmpfs 294M 0 294M 0% /dev/shm
tmpfs 294M 33M 261M 12% /run
tmpfs 294M 0 294M 0% /sys/fs/cgroup
/dev/sda2 30G 13G 18G 43% /
/dev/sda1 200M 12M 189M 6% /boot/efi
tmpfs 59M 0 59M 0% /run/user/1001
I extended / or sda2 partition to the rest of free disk I had so now I wonder, is it possible to take some of the 18G available space from / and create a /tmp partition? I see this tutorial but I don't know if it will work:
https://www.cyberciti.biz/faq/howto-mou ... uid-nodev/
but my partition is xfs while article is in ext4:
#mount | grep sda2
/dev/sda2 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Also, there are comments about is not working:
"Great writeup. Small error: When modifying the /etc/fstab, you don’t want to bind-mount the file /tmp because its not a directory. The line should actually look like:
/root/images/tmpfile.bin /tmp ext4 rw,noexec,nosuid,nodev 0 0"
"In addition to Ben’s comment, you may also need to add the loop option for the file system to mount correctly at boot. You may be getting errors such as:
mount: /root/images/tmpfile.bin is not a block device (maybe try `-o loop’?)
To fix, just change the line in /etc/fstab to:
/root/images/tmpfile.bin /tmp ext4 loop,rw,noexec,nosuid,nodev 0 0"
So I guess the steps I should take would be:
1)# mkdir -p /root/images/
2)# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
3)# mkfs.ext4 /root/images/tmpfile.bin -> In this case, should I change something to format in xfs or don't touch it because has been written in xfs format?
4)# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
5)# chmod 1777 /tmp
6)# mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp -> How to proceed here? My tmp directory is under /:
#ls -lrt
total 6291476
drwxr-xr-x. 2 root root 6 Apr 11 2018 srv
drwxr-xr-x. 2 root root 6 Apr 11 2018 opt
drwxr-xr-x. 2 root root 6 Apr 11 2018 mnt
drwxr-xr-x. 2 root root 6 Apr 11 2018 media
lrwxrwxrwx. 1 root root 7 Oct 14 2019 bin -> usr/bin
lrwxrwxrwx. 1 root root 8 Oct 14 2019 sbin -> usr/sbin
lrwxrwxrwx. 1 root root 9 Oct 14 2019 lib64 -> usr/lib64
lrwxrwxrwx. 1 root root 7 Oct 14 2019 lib -> usr/lib
drwxr-xr-x. 5 root root 70 Mar 22 12:49 home
drwxr-xr-x. 20 root root 278 Mar 22 16:21 var
-rw-------. 1 root root 6442450944 Mar 23 02:12 swap
drwxr-xr-x. 13 root root 187 Mar 23 19:11 usr
dr-xr-xr-x. 115 root root 0 Apr 25 22:58 proc
dr-xr-xr-x. 13 root root 0 Apr 25 22:58 sys
drwxr-xr-x. 17 root root 2920 Apr 25 22:58 dev
dr-xr-x---. 4 root root 246 Apr 28 03:06 root
dr-xr-xr-x. 5 root root 4096 May 1 01:10 boot
drwxr-xr-x. 33 root root 940 May 1 01:10 run
drwxr-xr-x. 98 root root 8192 May 1 01:13 etc
drwxrwxrwt. 55 root root 4096 May 1 01:26 tmp
7)# vi /etc/fstab
8)/root/images/tmpfile.bin /tmp xfs rw,noexec,nosuid,nodev,bind 0 0 (NOTE I changed here ext4 for xfs in tutorial)
9)/tmp /tmp none rw,noexec,nosuid,nodev,bind 0 0(NOTE I changed here /var/tmp for /tmp that is where my tmp is mountedl)
I suggested Google Cloud engineering support to modify this but they don't want it, any new sysadmin in Linux or Centos that hasn't know idea about security hardening could have issues for not having tmp in separate partition with noexec, nosuid, And nodev.
Thanks for your help
I would like to ask for help and I'm not sure if Security is the right section to post.
Since I was working in acens hosting company between 2011-2014 I learned that /tmp had security problems so in acens was created as a separated partition.
I'm running
#cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
#uname -a
Linux x.x.x 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
This is a virtual machine created in Google Cloud Platform and when I created it I didn't see any option to customize partitions when using an image to install, my server has actual partitions:
#df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 286M 0 286M 0% /dev
tmpfs 294M 0 294M 0% /dev/shm
tmpfs 294M 33M 261M 12% /run
tmpfs 294M 0 294M 0% /sys/fs/cgroup
/dev/sda2 30G 13G 18G 43% /
/dev/sda1 200M 12M 189M 6% /boot/efi
tmpfs 59M 0 59M 0% /run/user/1001
I extended / or sda2 partition to the rest of free disk I had so now I wonder, is it possible to take some of the 18G available space from / and create a /tmp partition? I see this tutorial but I don't know if it will work:
https://www.cyberciti.biz/faq/howto-mou ... uid-nodev/
but my partition is xfs while article is in ext4:
#mount | grep sda2
/dev/sda2 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Also, there are comments about is not working:
"Great writeup. Small error: When modifying the /etc/fstab, you don’t want to bind-mount the file /tmp because its not a directory. The line should actually look like:
/root/images/tmpfile.bin /tmp ext4 rw,noexec,nosuid,nodev 0 0"
"In addition to Ben’s comment, you may also need to add the loop option for the file system to mount correctly at boot. You may be getting errors such as:
mount: /root/images/tmpfile.bin is not a block device (maybe try `-o loop’?)
To fix, just change the line in /etc/fstab to:
/root/images/tmpfile.bin /tmp ext4 loop,rw,noexec,nosuid,nodev 0 0"
So I guess the steps I should take would be:
1)# mkdir -p /root/images/
2)# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
3)# mkfs.ext4 /root/images/tmpfile.bin -> In this case, should I change something to format in xfs or don't touch it because has been written in xfs format?
4)# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
5)# chmod 1777 /tmp
6)# mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp -> How to proceed here? My tmp directory is under /:
#ls -lrt
total 6291476
drwxr-xr-x. 2 root root 6 Apr 11 2018 srv
drwxr-xr-x. 2 root root 6 Apr 11 2018 opt
drwxr-xr-x. 2 root root 6 Apr 11 2018 mnt
drwxr-xr-x. 2 root root 6 Apr 11 2018 media
lrwxrwxrwx. 1 root root 7 Oct 14 2019 bin -> usr/bin
lrwxrwxrwx. 1 root root 8 Oct 14 2019 sbin -> usr/sbin
lrwxrwxrwx. 1 root root 9 Oct 14 2019 lib64 -> usr/lib64
lrwxrwxrwx. 1 root root 7 Oct 14 2019 lib -> usr/lib
drwxr-xr-x. 5 root root 70 Mar 22 12:49 home
drwxr-xr-x. 20 root root 278 Mar 22 16:21 var
-rw-------. 1 root root 6442450944 Mar 23 02:12 swap
drwxr-xr-x. 13 root root 187 Mar 23 19:11 usr
dr-xr-xr-x. 115 root root 0 Apr 25 22:58 proc
dr-xr-xr-x. 13 root root 0 Apr 25 22:58 sys
drwxr-xr-x. 17 root root 2920 Apr 25 22:58 dev
dr-xr-x---. 4 root root 246 Apr 28 03:06 root
dr-xr-xr-x. 5 root root 4096 May 1 01:10 boot
drwxr-xr-x. 33 root root 940 May 1 01:10 run
drwxr-xr-x. 98 root root 8192 May 1 01:13 etc
drwxrwxrwt. 55 root root 4096 May 1 01:26 tmp
7)# vi /etc/fstab
8)/root/images/tmpfile.bin /tmp xfs rw,noexec,nosuid,nodev,bind 0 0 (NOTE I changed here ext4 for xfs in tutorial)
9)/tmp /tmp none rw,noexec,nosuid,nodev,bind 0 0(NOTE I changed here /var/tmp for /tmp that is where my tmp is mountedl)
I suggested Google Cloud engineering support to modify this but they don't want it, any new sysadmin in Linux or Centos that hasn't know idea about security hardening could have issues for not having tmp in separate partition with noexec, nosuid, And nodev.
Thanks for your help