What is good practice making /tmp /var/tmp noexec on cpanel server?
Hello,
i read a few topics on how to make /tmp and /var/tmp and /dev/shm a "noexec" mount point.
SOLVED - secure /tmp directory
CentOS OpenVZ " how to secure tmp directory
Mount /tmp with noexec,nosuid options on Openvz
OpenVZ Forum: Users " How do I mount /tmp on VEs with noexec,nosuid options?
Currently i have this on my cPanel OpenVZ VPS & CentOS6:
# df -h|grep -v virtf
# mount|grep -v virtfs
# free -mht
But it does not look good (all three has 9GB virtual size in RAM - tmpfs). Would be better to have it in HDD instead and have some different size? which size you recommend roughly in my case please? In mentioned post (SOLVED - secure /tmp directory) is an advice to symlink /var/tmp -> /tmp . Is it wise to do so? PS: before mount or remount i assume stopping cpanel,httpd,mysql services, then rsync all tmp folders, doing mount or remount, rsyanc back files and then starting services Thank You
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 342G 105G 238G 31% /
none 9.0G 4.0K 9.0G 1% /dev
none 9.0G 4.0K 9.0G 1% /dev/shm
tmpfs 9.0G 1.8M 9.0G 1% /tmp
tmpfs 9.0G 4.0K 9.0G 1% /var/tmp# mount|grep -v virtfs
/dev/simfs on / type simfs (rw,relatime,usrquota,grpquota)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type devtmpfs (rw,relatime,mode=755)
none on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
none on /dev/shm type tmpfs (rw,nosuid,noexec,relatime)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,noexec,relatime)
tmpfs on /var/tmp type tmpfs (rw,nosuid,noexec,relatime)# free -mht
total used free shared buffers cached
Mem: 18G 8.4G 9.6G 1.7M 0B 5.7G
-/+ buffers/cache: 2.7G 15G
Swap: 2.0G 13M 2.0G
Total: 20G 8.4G 11GBut it does not look good (all three has 9GB virtual size in RAM - tmpfs). Would be better to have it in HDD instead and have some different size? which size you recommend roughly in my case please? In mentioned post (SOLVED - secure /tmp directory) is an advice to symlink /var/tmp -> /tmp . Is it wise to do so? PS: before mount or remount i assume stopping cpanel,httpd,mysql services, then rsync all tmp folders, doing mount or remount, rsyanc back files and then starting services Thank You
-
Hi. From what I can see that your server is a openvz VPS container, so you will not be having separate partition and the current tmp that is mounted on your machine is already a block file that is created on your machine i.e., hard disk itself. I see no issue keeping it this way and continuing. What exact issue are you facing with this? 0 -
Hello, Your current configuration is one of the more common configurations for the /tmp partition in the cPanel environment. I don't recommend making any changes, however you will likely find more user-feedback on tmpfs performance or reliability at a website such as StackOverflow: StackOverFlow - tmpfs search results Thank you. 0 -
Thx for the feedback! So from Michael's post, i will assume my setup is OK/optimal, until someone explain it is otherwise. BTW: If someone found this topic wanting to apply noexec tmp setup as mine, here are steps i did. 0
Please sign in to leave a comment.
Comments
3 comments