LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   /tmp partition mount with noexec (https://www.linuxquestions.org/questions/linux-newbie-8/tmp-partition-mount-with-noexec-4175619771/)

apj 12-17-2017 05:30 AM

/tmp partition mount with noexec
 
How to mount /tmp with noexec because there is no entry is /etc/fstab in centos 7?

MadeInGermany 12-17-2017 05:53 AM

Is /tmp a separate filesystem or just a subdirectory in the root filesystem?
Code:

df /tmp

sevendogsbsd 12-17-2017 08:12 AM

You can add an entry to /etc/fstab for tmpfs manually or I think systemd can do this also. No clue how to do it in systemd but I am sure there is info out there.

https://wiki.centos.org/TipsAndTricks/TmpOnTmpfs

wpeckham 12-17-2017 08:16 AM

Quote:

Originally Posted by apj (Post 5794183)
How to mount /tmp with noexec because there is no entry is /etc/fstab in centos 7?

What exactly are you doing that would make this matter?

apj 12-17-2017 09:32 AM

/tmp is just subdirectory under root directory.

I want to mount it with noexec flag.

AwesomeMachine 12-17-2017 01:21 PM

I think what wpeckham is asking is, maybe there a better way to do what you want. Could you explain why you need noexec on /tmp? We can tell you how to do it. But we can't figure out why anyone would want to do it. So, there's probably a better way to do whatever it is you want.

MadeInGermany 12-17-2017 01:24 PM

For mount options you must mount /tmp i.e. it must be a separate filesystem (and needs an entry in /etc/fstab).
Maybe you have 3+GB reserved in the lvm? Then you can create one.

Alternatively, for a subdirectory you can maybe achieve something similar by means of a default ACL. I have not done it yet, please try it yourself: start with reading the man pages
Code:

man chmod
Code:

man setfacl

rknichols 12-17-2017 01:38 PM

Quote:

Originally Posted by AwesomeMachine (Post 5794301)
But we can't figure out why anyone would want to do it.

In a situation where users are supposed to be restricted to running specific programs only, you don't want to allow execute permission in any directory where that user also has write permission. It keeps a restricted user from downloading a copy of Doom from the web and executing it.

But, if /tmp is just a root filesystem directory and not a separate filesystem, I don't know how you could give it more restrictive mount options. You could almost do it with a bind-mount, but I don't think it's possible to bind-mount a directory on top of itself. In systems that follow the current recommendation of making /tmp a tmpfs in RAM, it would of course be easy.

[EDIT] On second thought, just create another directory /tmp-r. Then
Code:

mount --bind /tmp-r /tmp
mount -o remount,noexec /tmp

And on third thought, that's not going to work either, as it still leaves the /tmp-r directory exposed. It can work this way:
Code:

mkdir -p /tmp-r/tmp
chmod 700 /tmp-r
chmod 1777 /tmp-r/tmp
mount --bind /tmp-r/tmp /tmp
mount -o remount,noexec /tmp

Now no one but root can reach the writable /tmp-r/tmp directory directly.

wpeckham 12-17-2017 04:40 PM

If I had a system I wanted to restrict that far, I would download the sources for IBS (Iron Bound Shell) and compile it for my system, configure it, and and make it the default shell for those restricted users (only). IBS allows me to restrict EXACTLY what commands a user may run.

Another option is to use the passwd and ssh settings to chroot the user into their home folder and restrict that as needed. This allows them to do many thing, but they will not be able to even REACH /tmp.

rknichols 12-17-2017 05:09 PM

Quote:

Originally Posted by wpeckham (Post 5794357)
Another option is to use the passwd and ssh settings to chroot the user into their home folder and restrict that as needed. This allows them to do many thing, but they will not be able to even REACH /tmp.

Setting up a chroot for a user requires a lot more than that user's home directory.

AwesomeMachine 12-17-2017 05:17 PM

Even if /tmp is a directory on disk, you can just make it tmpfs if you want.
Code:

$ mount -t tmpfs -o size=512m,noexec tmpfs /tmp
Of course it would initially be disruptive to the system, because all the files in /tmp would disappear. But after you edit /etc/fstab and reboot it would be OK.

apj 12-20-2017 03:56 AM

Thank you so much to all for helping me.
I created one lv and mount /tmp on that and execute mount -o remount,noexec /tmp.

wpeckham 12-20-2017 05:25 AM

Quote:

Originally Posted by apj (Post 5795353)
Thank you so much to all for helping me.
I created one lv and mount /tmp on that and execute mount -o remount,noexec /tmp.

Keep in mind you must also add the fstab entry, or this will only be temporary.

apj 12-25-2017 01:13 AM

Quote:

Originally Posted by wpeckham (Post 5795387)
Keep in mind you must also add the fstab entry, or this will only be temporary.

Yes sure.

Thank You


All times are GMT -5. The time now is 07:41 AM.