Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Secure TMP Folder on Webserver against execution

profile picture
Author
Daniel McDonald
Published
2019-03-29
Time to read
4 minutes reading time

About the author- Daniel is a web developer and designer. His Company was founded in 2013

Table of Contents

Introduction

Often web servers (or hosting subscriptions) are writing in tmp folder. Therefore, it's good to keep the tmp folder clean and safe. A good way to secure your tmp folder on a linux machine is to disallow script execution in the tmp folder. I will show you how to check and secure your tmp folder.

Please be aware that sometimes server control panels need execution within the tmp folder.

Step 1 - Login to your web server

First, login to your server via SSH. Be sure you have root permissions.

Step 2 - Check if a tmp folder already exists!

With the following command you can see if there's already a tmp folder:

root@server:~# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Please copy the whole command except the # sign.

The output can be something like this if a dedicated partition is used for tmp: "/filesystems/tmp_fs on /tmp type ext3 (rw,nosuid,noexec,relatime,data=ordered)"
If not, the output probably looks like: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev)"

If there is no such output, please continue.

Step 3 - Create a 4GB partition

Run the three commands one after the other.

root@server:~# mkdir /filesystems # create a new folder
root@server:~# dd if=/dev/zero of=/filesystems/tmp_fs seek=2048 count=2048 bs=1M # create a 2GB file called tmp_fs
root@server:~# mkfs.ext3 /filesystems/tmp_fs # create an ext3 filesystem on the newly created file

Step 4 - Make sure your partition will start with a reboot

We will add the following code into /etc/fstab.

Open fstab:

root@server:~# nano /etc/fstab

Insert the following at the end of the file:

/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 0 0

Important: in the fstab file, always keep an empty row after the whole content, otherwise fstab won't work after a reboot.

Save the file and continue.

Step 5 - Backup the current tmp folder

root@server:~# cd /
root@server:~# cp -R /tmp /tmp_backup

Step 6 - Mount the new tmp folder

This will be done with the noexec, nosuid, and rw options.

root@server:~# mount -o loop,noexec,nosuid,rw /filesystems/tmp_fs /tmp

Set the correct permissions:

root@server:~# chmod 1777 /tmp

Step 7 - Copy old files to the new location

root@server:~# cp -R /tmp_backup/* /tmp/
root@server:~# rm -rf /tmp_backup

Step 8 - Check tmp folder and try execution (Optional)

Check if new partition exists:

root@server:~# df -h
root@server:~# mount

Check if you can execute any script:

root@server:~# cp /bin/ls /tmp
root@server:~# chmod 755 /tmp/ls

Run ls:

root@server:~# /tmp/ls

If everything worked, you should now get the following output "Permission denied".

You can clean up with following command:

root@server:~# rm /tmp/ls

Conclusion

Your web server is now secured against bad scripts and attacks on the tmp folder. If you have any questions or feedback, please feel free to contact me.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue
Try Hetzner Cloud

Get €20/$20 free credit!

Valid until: 31 December 2025 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue