A couple days ago a CentOS Linux server that I took over administration on had some mysterious files show up in the /tmp and /var/tmp directories. The files were placed in /tmp and /var/tmp by the apache user meaning there is some form of security hole in Apache, PHP, or one of the virtual hosts has an insecure application installed. Before looking into where the issue is I needed to lock things down so no applications could be executed from these directories in the future regardless of a security flaw in the future. Below are instructions on how to secure /tmp and /var/tmp.
Secure /tmp Directory On Linux:
- Generate 1GB File: Make sure that you have enough space on your hard drive using the df (df -kh) command. Then generate a one gigabyte file that will be used for the /tmp directory using the syntax below.
# dd if=/dev/zero of=/dev/tmpDIR bs=1024 count=1000000
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 5.32903 seconds, 192 MB
As you can see in the above output it took the server 5.3 seconds to generate the 1GB file which will be used for both /tmp and /var/tmp once we are completed.
- Format File To EXT3: After the file is created you will need to format the file to ext3 or whatever filesystem you are using for the other directories on the Linux server using syntax similar to the below. The output is included below so you know that when the “Proceed anyway?” warning displays that you should type “y” for yes followed by enter to continue.
# /sbin/mkfs.ext3 /dev/tmpDIR
mke2fs 1.39 (29-May-2006)
is not a block special device.
Proceed anyway? (y,n) y
Block size=4096 (log=2)
Fragment size=4096 (log=2)
125184 inodes, 250000 blocks
12500 blocks (5.00%) reserved
the super user
First data block=0
Maximum filesystem blocks=260046848
32768 blocks per group, 32768 fragments per group
15648 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables:
Creating journal (4096 blocks):
Writing superblocks and filesystem accounting information:
This filesystem will be automatically checked every 24 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
- Backup Current /tmp Directory: Now backup the current /tmp directory using the syntax below which will keep the same permissions for the files currently in /tmp.
# cp -Rpf /tmp /tmpbak
- Mount New /tmp Directory: After backing up the data you can proceed with mounting the new /tmp directory with the syntax below.
# mount -o loop,noexec,nosuid,rw /dev/tmpDIR /tmp
Notice we are mounting the /tmp directory with noexec and nosuid which will stop direct execution of binary files and not allow set-user-identifier or set-group-identifier bits to take effect respectively.
- Modify /tmp Directory Permissions: Use the syntax below to modify the permissions of the new /tmp directory on the CentOS Linux server.
# chmod 1777 /tmp
- Copy Old /tmp Data: After the directory is mounted and the proper permissions are set you should copy the data from the old /tmp directory into the newly created /tmp directory. First cd into the /tmpbak directory and then copy all of the contents using the syntax below.
# cd /tmpbak
# cp -Rpf * /tmp/
You may also need to run the same command again but instead of using just * use .* which will copy files beginning with a dot.
- Modify fstab: After verifying that the new /tmp directory is working properly you should add a line to the end of the /etc/fstab file so the new directory is mounted when the server reboots.
ext3 loop,nosuid,noexec,rw 0 0
After finishing the above steps you should now test the /tmp directory to verify it is secure by copying an executable to /tmp and attempt to execute it. Once verified you should also follow the steps below to secure /var/tmp which can also be abused and cause issues on your server.
Secure /var/tmp On A CentOS Linux Server:
- Temporarily Move /var/tmp: Move the /var/tmp directory to a new location so you can create a symlink to the /tmp directory we already secured.
# mv /var/tmp /var/tmpbak
- Create A Symbolic Link: Once the directory has been moved you can now create a symbolic link to the /tmp directory using the syntax below. This will make /var/tmp the same as /tmp while keeping the path integrity.
# ln -s /tmp /var/tmp
- Copy /var/tmp Contents: Once the symbolic link is generated you should copy the contents of the /var/tmpbak directory to /var/tmp using the syntax below.
# cp -pR /var/tmpbak/* /tmp
Make sure to verify all of the contents of the directory make it to the new directory.
Your /tmp and /var/tmp directories are now secured on your CentOS Linux server.