A couple days ago a CentOS Linux server that I took over administration on had some mysterious files show up in the /tmp and /var/tmp directories. The files were placed in /tmp and /var/tmp by the apache user meaning there is some form of security hole in Apache, PHP, or one of the virtual hosts has an insecure application installed. Before looking into where the issue is I needed to lock things down so no applications could be executed from these directories in the future regardless of a security flaw in the future. Below are instructions on how to secure /tmp and /var/tmp.
Secure /tmp Directory On Linux:
- Generate 1GB File: Make sure that you have enough space on your hard drive using the df (df -kh) command. Then generate a one gigabyte file that will be used for the /tmp directory using the syntax below.As you can see in the above output it took the server 5.3 seconds to generate the 1GB file which will be used for both /tmp and /var/tmp once we are completed.
- Format File To EXT3: After the file is created you will need to format the file to ext3 or whatever filesystem you are using for the other directories on the Linux server using syntax similar to the below. The output is included below so you know that when the “Proceed anyway?” warning displays that you should type “y” for yes followed by enter to continue.
- Backup Current /tmp Directory: Now backup the current /tmp directory using the syntax below which will keep the same permissions for the files currently in /tmp.
- Mount New /tmp Directory: After backing up the data you can proceed with mounting the new /tmp directory with the syntax below.Notice we are mounting the /tmp directory with noexec and nosuid which will stop direct execution of binary files and not allow set-user-identifier or set-group-identifier bits to take effect respectively.
- Modify /tmp Directory Permissions: Use the syntax below to modify the permissions of the new /tmp directory on the CentOS Linux server.
- Copy Old /tmp Data: After the directory is mounted and the proper permissions are set you should copy the data from the old /tmp directory into the newly created /tmp directory. First cd into the /tmpbak directory and then copy all of the contents using the syntax below.You may also need to run the same command again but instead of using just * use .* which will copy files beginning with a dot.
- Modify fstab: After verifying that the new /tmp directory is working properly you should add a line to the end of the /etc/fstab file so the new directory is mounted when the server reboots.
After finishing the above steps you should now test the /tmp directory to verify it is secure by copying an executable to /tmp and attempt to execute it. Once verified you should also follow the steps below to secure /var/tmp which can also be abused and cause issues on your server.
Secure /var/tmp On A CentOS Linux Server:
- Temporarily Move /var/tmp: Move the /var/tmp directory to a new location so you can create a symlink to the /tmp directory we already secured.
- Create A Symbolic Link: Once the directory has been moved you can now create a symbolic link to the /tmp directory using the syntax below. This will make /var/tmp the same as /tmp while keeping the path integrity.
- Copy /var/tmp Contents: Once the symbolic link is generated you should copy the contents of the /var/tmpbak directory to /var/tmp using the syntax below.Make sure to verify all of the contents of the directory make it to the new directory.
Your /tmp and /var/tmp directories are now secured on your CentOS Linux server.