Blog

Secure TMP Folder on Webserver against execution

Introduction

Often web servers (or hosting subscriptions) are writing in tmp folder. Therefore, it’s good to keep the tmp folder clean and safe. A good way to secure your tmp folder on a linux machine is to disallow script execution in the tmp folder. I will show you how to check and secure your tmp folder.

Please be aware that sometimes server control panels need execution within the tmp folder.

Step 1 – Login to your web server

First, login to your server via SSH. Be sure you have root permissions.

Step 2 – Check if a tmp folder already exists!

With the following command you can see if there’s already a tmp folder:

root@server:~# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Please copy the whole command except the # sign.

The output can be something like this if a dedicated partition is used for tmp: “/filesystems/tmp_fs on /tmp type ext3 (rw,nosuid,noexec,relatime,data=ordered)”
If not, the output probably looks like: “tmpfs on /tmp type tmpfs (rw,nosuid,nodev)”

If there is no such output, please continue.

Step 3 – Create a 4GB partition

Run the three commands one after the other.

root@server:~# mkdir /filesystems # create a new folder
root@server:~# dd if=/dev/zero of=/filesystems/tmp_fs seek=2048 count=2048 bs=1M # create a 2GB file called tmp_fs
root@server:~# mkfs.ext3 /filesystems/tmp_fs # create an ext3 filesystem on the newly created file

Step 4 – Make sure your partition will start with a reboot

We will add the following code into /etc/fstab.

Open fstab:

root@server:~# nano /etc/fstab

Insert the following at the end of the file:

/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 0 0

Important: in the fstab file, always keep an empty row after the whole content, otherwise fstab won’t work after a reboot.

Save the file and continue.

Step 5 – Backup the current tmp folder

root@server:~# cd /
root@server:~# cp -R /tmp /tmp_backup

Step 6 – Mount the new tmp folder

This will be done with the noexec, nosuid, and rw options.

root@server:~# mount -o loop,noexec,nosuid,rw /filesystems/tmp_fs /tmp

Set the correct permissions:

root@server:~# chmod 1777 /tmp

Step 7 – Copy old files to the new location

root@server:~# cp -R /tmp_backup/* /tmp/
root@server:~# rm -rf /tmp_backup

Step 8 – Check tmp folder and try execution (Optional)

Check if new partition exists:

root@server:~# df -h
root@server:~# mount

Check if you can execute any script:

root@server:~# cp /bin/ls /tmp
root@server:~# chmod 755 /tmp/ls

Run ls:

root@server:~# /tmp/ls

If everything worked, you should now get the following output “Permission denied”.

You can clean up with following command:

root@server:~# rm /tmp/ls

Conclusion

Your web server is now secured against bad scripts and attacks on the tmp folder. If you have any questions or feedback, please feel free to contact me.

Reprint:https://community.hetzner.com/tutorials/secure-tmp-folder

Posted

in

by

admin

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *