secure /dev/shm

bytez · 05-17-2007, 11:00 PM

Quote:

/dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options

Got this on my security check, could anyone tell me step by step how to secure it? Thanks so much!

win32sux · 05-18-2007, 03:58 PM

AFAICT, it probably wants a line like this in your /etc/fstab file:

Code:

devshm /dev/shm tmpfs rw,noexec,nosuid 0 0

bytez · 05-18-2007, 04:01 PM

thanks, how to I edit the fstab file without breaking the system? Could I just use pico command?

win32sux · 05-18-2007, 04:12 PM

Quote:

Originally Posted by bytez

thanks, how to I edit the fstab file without breaking the system? Could I just use pico command?

well, my suggestion would be to first try it without editing the file... in other words, just remount your devshm with the new options... if anything goes wrong (unlikely but possible) you can just reboot and be done with it... check it:

Code:

win32sux@candystore:~$ mount | grep shm
devshm on /dev/shm type tmpfs (rw)
win32sux@candystore:~$ sudo mount -o rw,noexec,nosuid,remount -t tmpfs devshm /dev/shm
win32sux@candystore:~$ mount | grep shm
devshm on /dev/shm type tmpfs (rw,noexec,nosuid)

then when you are sure your box didn't break, make a backup of your fstab before editing it:

Code:

cat /etc/fstab > /etc/fstab.bak

this way if all hell breaks loose upon reboot then you can just boot a live cd and cat the backup file back into the proper one...

PS: yes, pico is fine, any text editor will do, really...