Making /tmp noexec

Discussion in 'General Discussion' started by jmfrisch, May 11, 2005.

  1. jmfrisch

    jmfrisch Kilo Poster

    Messages:
    69
    Noexec tmp

    Hi.

    I have my /tmp compromised this morning so I thought I should make it noexec. However, when trying to create a tmp file using mke2fs I find that it is not in the VE. Has anyone managed to create a noexec tmp?

    Jason
     
  2. Cranky

    Cranky Guru

    Messages:
    2,657
    From support a while back:

    PHP:
    1)
       
    # dd if=/dev/zero of=/vz/tmpVE bs=1k count=2000000
       # losetup /dev/loop0 /vz/tmpVE
       # mkfs -t ext3 /dev/loop0
       # mkdir /vz/tmpVEs
       # mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw

    2add the following lines marked by "+" to "/etc/sysconfig/vz-scripts/vz-postinst":

    -------
    8<-------------------
    wq'| ed -s $FILE >/dev/null
            fi
    }

    +function vztmpsetup()
    +{
    +
    +VEID=`basename $VE_ROOT`
    +
    +cp /etc/sysconfig/vz-scripts/new.mount /etc/sysconfig/vz-scripts/$VEID.mount
    +cp /etc/sysconfig/vz-scripts/new.umount /etc/sysconfig/vz-scripts/$VEID.umount
    +
    +chmod 755 /etc/sysconfig/vz-scripts/$VEID.mount /etc/sysconfig/vz-
    scripts/$VEID.umount
    +
    +}
    +
    randcrontab
    disableroot
    setupifup
    +vztmpsetup

    exit 0
    ---------------->8---------------

    3) create "/etc/sysconfig/vz-scripts/new.mount":

    ---------------8<--------------
    #!/bin/bash
    #
    # if one of these files does not exist then something is really broken

    [ -f /etc/sysconfig/vz ] || exit 1
    [ -f  $VE_CONFFILE  ] || exit 1
    [ -f /etc/sysconfig/vz-scripts/$VEID.conf ] || exit 1

    . /etc/sysconfig/vz
    . $VE_CONFFILE

    [ -e /vz/tmpVEs/$VEID ] || mkdir /vz/tmpVEs/$VEID
    mount --bind /vz/tmpVEs/$VEID $VE_ROOT/tmp
    ---------------->8--------------

    and "/etc/sysconfig/vz-scripts/new.umount":

    ------------------8<-----------
    #!/bin/bash
    # if one of these files does not exist then something is really broken
    [ -f /etc/sysconfig/vz ] || exit 1
    [ -f  $VE_CONFFILE  ] || exit 1

    # Source configuration files to access $VE_ROOT
    . /etc/sysconfig/vz
    . $VE_CONFFILE

    # Dismount shared directory
    if grep "/vz/root/$VEID/tmp" /proc/mounts >/dev/null;then
    umount $VE_ROOT/tmp
    fi
    ------------>8-----------------------

    3) add the following strings into "/etc/rc.sysinit"

    ----------------8<------------
    losetup /dev/loop0 /vz/tmpVE
    mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw
    ------------------>8--------------

    And create the same *.mount and *.umount scripts for already created VEs.
     
    ntclick likes this.
  3. jmfrisch

    jmfrisch Kilo Poster

    Messages:
    69
    Nice one!
     
  4. jmfrisch

    jmfrisch Kilo Poster

    Messages:
    69
    I can't change domains now..

    Get an error something like:
    cannot create/write to fiel /tmp/Mso87sdf.MYI

    Do you think this is related? I have tried create a file in /tmp manually and it works.
     
  5. fenster

    fenster Tera Poster

    Messages:
    429
    which user tried to create /tmp/something.MYI?
     
  6. jmfrisch

    jmfrisch Kilo Poster

    Messages:
    69
    Got it sorted out.

    Need to change:
    [ -e /vz/tmpVEs/$VEID ] || mkdir /vz/tmpVEs/$VEID

    to [ -e /vz/tmpVEs/$VEID ] || mkdir /vz/tmpVEs/$VEID && chmod 777 /vz/tmpVEs/$VEID

    tmp should be 777 right?
     
  7. fenster

    fenster Tera Poster

    Messages:
    429
    1777. Sticky bit should be set to prevent removing of files belonging to other users.
     
  8. JamesB

    JamesB Kilo Poster

    Messages:
    24
    To secure /var/tmp as well, would you recommend another line such as:
    Code:
    mount --bind /vz/tmpVEs/$VEID $VE_ROOT/tmp
    mount --bind /vz/tmpVEs/$VEID $VE_ROOT/var/tmp
    
    or just symlinking /var/tmp to /tmp in the VE?
     
  9. jmfrisch

    jmfrisch Kilo Poster

    Messages:
    69
    mount --bind /vz/tmpVEs/$VEID $VE_ROOT/tmp

    mounts tmp.
     
  10. barmaley

    barmaley Mega Poster

    Messages:
    233
    just my 2 cents...
    If you decided to make noexec tmp for your
    VEs - don't do that for the service VE (if you
    have one of course). VZagent - at least
    the current version - doesn't work correctly,
    I believe it's not because of noexec but because of a /tmp on a different filesystem.
    It doesn't die though. I've seen only
    timeouts when a backup to remote node
    was initiated from VZMC/VZPP.
     
  11. JamesB

    JamesB Kilo Poster

    Messages:
    24
    Is there a new way to do this in Virtuozzo 2.6.2? The file /etc/sysconfig/vz-scripts/vz-postinst does not seem to exist in VZ 2.6.2.
     
  12. SupportTeam

    SupportTeam Guest

    You may check /etc/sysconfig/vz-scripts/dists/scripts/postcreate.sh script for post-install actions.

    Thanks,
    __________________
    Yuri Tarasov
    SWsoft Support Team
     
  13. bram

    bram Kilo Poster

    Messages:
    19
    Hello,

    I have install the noexec on my virtuozzo hardware node. On this node run 3 VPS.

    this is the output for df

    Filesystem 1K-blocks Used Available Use% Mounted on
    /dev/sda1 2063504 1713416 245268 88% /
    none 1033180 0 1033180 0% /dev/shm
    /dev/sda3 58918843 52756317 2794499 95% /vz
    /vz/tmpVEs/84073 1968528 33196 1835332 2% /vz/root/84073/tmp
    /dev/loop0 1968528 33196 1835332 2% /vz/tmpVEs

    How can i start the noexec for the two other VPS.

    kind regards,

    bram
     
  14. barmaley

    barmaley Mega Poster

    Messages:
    233
    it is recommended by everyone but in my
    opinion it's just a very small addition to
    your security. noexec/nosuid /tmp for
    sure won't allow an intruder to run
    executables on /tmp; but please explain me
    what is the difference between

    # cat /tmp/ugly_script
    #!/bin/bash
    rm -rf /*

    # ./tmp/ugly_script

    and

    # /bin/bash /tmp/ugly_script

    first command won't work, the second one
    doesn't care how /tmp is mounted. And since someone has downloaded something to /tmp
    I really do believe this someone have found a way to
    run binaries on your system, no matter how /tmp
    is mounted.

    Am I missing something?
     
  15. fenster

    fenster Tera Poster

    Messages:
    429
    They sometimes don't want to mess up your system, but want to run IRC bot for example. It's binary, and noexec makes sense in that case.
     
  16. madsere

    madsere Tera Poster

    Messages:
    352
    I'm trying to add noexec,nosetuid /tmp partitions for the VE's, for performance reasons using a real noexec,nosetuid /tmp partition as base instead of a loop0 file.

    There's a 5-step FAQ here that I would use as base.

    Steps 1 and 5 exlains how to setup the loop0 so I'll just discard that.

    Step 3 and 4 creates the mount and unmount scripts, they're easy enough to modify.

    Step 2 seems buggy though:

    QUESTIONS:

    1) My 2.6.2 system does not have a /etc/sysconfig/vz-scripts/vz-postinst and I don't understand the cryptic reply from Yuri Tarasov. Is he saying I should copy /etc/sysconfig/vz-scripts/dists/scripts/postcreate.sh to /etc/sysconfig/vz-scripts/vz-postinst and work from that?
    2) Is that closing '}' on line 3 for real?
    3) I believe lines 11, 13 and 15 should not have been wrapped. AFAIK you can't break cp and chmod lines. Right?
     
  17. barmaley

    barmaley Mega Poster

    Messages:
    233
    another approach, /tmp settings can be system-wide (/etc/sysconfig/vz), or can
    be defined per-VPS. No questions please - it does work, it's been tested :)

    Has the same problems as the loop-device solution (no way to clean /tmp when a VPS gets destroyed,
    no way to migrate /tmp along with 'parent' VPS to another server)

    ******
    Implemented by cgalpin (Charles Galpin
    of PowerVPS) at least 6 months before
    I wrote these scripts. My only excuse is
    that I did not know that when I had to write these scripts :)
    ******

    [root@classified barmaley]# cat /etc/sysconfig/vz-scripts/vps.mount
    #!/bin/bash
    #
    # this script is global and executed for
    # every VPS at startup time.
    # we're going to create and mount
    # a temp area with nosuid, nodev and noexec,
    # which will have vzquota configured and running.
    # nodev is probably an overkill for a VE
    # but I just like it :)

    # Current issues:
    # 1) vzquota accepts only numeric <quota_id>
    # and does it in a very weird way. Details below.
    # 2) not clear how to handle on->off and off->on
    # changes for tmp area - ie. what to do with files
    # under /tmp and /var/tmp.
    # it's possible to move files back and forth on
    # mount/umount stage - ie.
    #
    # mv tmp temptmp
    # mount tmparea
    # tar -cf - -C temptmp . | tar xpf - -C tmp
    #
    # on mount and opposite action on umount but it may
    # take considerable time - we have quotas already
    # running, it's copying across mountpoits etc.
    # 3) perhaps tmp should be added to /etc/fstab -
    # however on my test VE fstab doesn't have a
    # 'reiserfs' entry for / even with second-level
    # quotas enabled.
    # 4) Completely unclear what to do with second-level quotas...


    # script works with $VEID and $VE_CONFFILE
    # vars which are passed as environment
    # variables. All the rest can be defined
    # a) in /etc/sysconfig/vz as a system-wide
    # and b) in VE config file.

    # tmp sizes/limits
    VPSTMP_BLOCKS=$((150*1024))
    VPSTMP_INODES=2000

    # tmp 'path' - we might want have it outside
    # of /vz
    TMPPATH="/vz/private"
    VPSTMP="${VEID}-temparea"

    # currently service VPS just doesn't work right
    # with a dedicated nosuid / noexec TMP.

    if [ ${VEID} -eq 1 ]; then
    exit 0
    fi

    # source configs.
    if [ -f /etc/sysconfig/vz ]; then
    . /etc/sysconfig/vz
    else
    exit 1
    fi

    if [ -f ${VE_CONFFILE} ]; then
    . ${VE_CONFFILE}
    else
    exit 1
    fi

    # a special var from either global file
    # or VPS config.
    if [ -z "${VPS_TMP_AREA}" ]; then
    # TMP area not configured in neither config.
    exit 0
    fi

    if [ "${VPS_TMP_AREA}" != "yes" -a "${VPS_TMP_AREA}" != "YES" ]; then
    # TMP area is disabled in either config
    exit 0
    fi

    # after sourcing configs we might have
    # blocks/inodes in limit:barrier form
    # and have to handle it. Perhaps we
    # need to check that soft < hard here.

    if [ "${VPSTMP_BLOCKS}" = "${VPSTMP_BLOCKS/:/}" ]; then
    VPSTMP_BLOCKS_SOFT=${VPSTMP_BLOCKS}
    VPSTMP_BLOCKS_HARD=${VPSTMP_BLOCKS}
    else
    VPSTMP_BLOCKS_SOFT=${VPSTMP_BLOCKS%%:*}
    VPSTMP_BLOCKS_HARD=${VPSTMP_BLOCKS##*:}
    fi

    if [ "${VPSTMP_INODES}" = "${VPSTMP_INODES/:/}" ]; then
    VPSTMP_INODES_SOFT=${VPSTMP_INODES}
    VPSTMP_INODES_HARD=${VPSTMP_INODES}
    else
    VPSTMP_INODES_SOFT=${VPSTMP_INODES%%:*}
    VPSTMP_INODES_HARD=${VPSTMP_INODES##*:}
    fi


    # it seems that vzquota not only doesn't work
    # with non-numeric <quota_id> but also silently
    # removes non-numeric chars from supplied
    # <quota_id>, without reporting errors.
    # this indeed is very unfortunate since
    # we have to use something like ${VEID}00001
    # instead of ${VEID}-tmparea for <quota_id> -
    # otherwise there're some weird interaction
    # between VPS and temparea quotas.
    ### WARNING!!!!!!#####
    # ve id can not be more than 2^32-1, if you
    # use "big" IDs for VEs, you have to
    # modify a var below to have VPSTMP_QUOTAID
    # below the VE ID "limit" (this limit also
    # applies to quota IDs)
    VPSTMP_QUOTAID=${VEID}1111

    # other constants
    # VZ_PRIVATE=/vz/private

    # strip trailing slashes from TMPPATH
    TMPPATH=${TMPPATH%%/?}

    # extra sanity check
    if [ "${TMPPATH}/${VPSTMP}" = "/" ]; then
    exit 1
    fi


    # if we don't have "vzfs filesystem" for the temp
    # area - we have to create it, and init quota on it.
    if [ ! -d "${TMPPATH}/${VPSTMP}" ]; then
    mkvzfs ${TMPPATH}/${VPSTMP}
    RETVAL=$?
    if [ ${RETVAL} -ne 0 ]; then
    # some logging?
    exit $RETVAL
    fi
    vzquota init ${VPSTMP_QUOTAID} -p ${TMPPATH}/${VPSTMP} \
    -c /var/vzquota/quota.${VPSTMP_QUOTAID} \
    --block-softlimit ${VPSTMP_BLOCKS_SOFT} \
    --block-hardlimit ${VPSTMP_BLOCKS_HARD} \
    --block-exptime 0 \
    --inode-softlimit ${VPSTMP_INODES_SOFT} \
    --inode-hardlimit ${VPSTMP_INODES_HARD} \
    --inode-exptime 0
    RETVAL=$?
    if [ ${RETVAL} -ne 0 ]; then
    # some logging?
    exit $RETVAL
    fi
    fi

    # turning quota on.
    vzquota on ${VPSTMP_QUOTAID}
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
    # some logging
    exit $RETVAL
    fi

    ######
    # note: perhaps quota init / quota on only if quotas are enabled in either
    # config file? I'm not sure how to check correctly is vzquota already
    # initialized or not
    ######

    # OK, assuming that everything is done. Now we need to mount tmp.
    if [ ! -d "${TMPPATH}/${VPSTMP}" ]; then
    # something really is broken.
    exit 1
    else
    mount -t vzfs -o \
    noatime,nosuid,noexec,nodev,rw /vz/template:${TMPPATH}/${VPSTMP} \
    /vz/template:${TMPPATH}/${VPSTMP} ${VE_ROOT}/tmp
    RETVAL=$?
    if [ $RETVAL != 0 ]; then
    # some logging
    exit $RETVAL
    fi
    # we want tmp to have 1777 mode
    chmod 1777 ${VE_ROOT}/tmp
    fi

    # if we here - everything is good so far :)
    # we want to make /var/tmp to be symlink to /tmp.

    if [ ! -L ${VE_ROOT}/var/tmp ]; then
    rm -rf ${VE_ROOT}/var/tmp
    ln -s /tmp ${VE_ROOT}/var/tmp
    fi

    exit 0


    [root@classified barmaley]# cat /etc/sysconfig/vz-scripts/vps.umount
    #!/bin/bash
    #
    # this script is global and executed for
    # every VPS at stop time
    # we're going to umount a temp area and
    # stop vzquota for it.

    # script works with $VEID and $VE_CONFFILE
    # vars which are passed as environment
    # variables. All the rest can be defined
    # a) in /etc/sysconfig/vz as a system-wide
    # and b) in VE config file.

    TMPPATH="/vz/private"
    VPSTMP="${VEID}-temparea"

    # currently service VPS just doesn't work right
    # with a dedicated nosuid / noexec TMP.

    if [ ${VEID} -eq 1 ]; then
    exit 0
    fi

    # source configs.
    if [ -f /etc/sysconfig/vz ]; then
    . /etc/sysconfig/vz
    else
    exit 1
    fi

    if [ -f ${VE_CONFFILE} ]; then
    . ${VE_CONFFILE}
    else
    exit 1
    fi

    # script is really simple and most likely should be
    # changed completely

    VPSTMP_QUOTAID=${VEID}1111


    if grep -q ${VPSTMP} /proc/mounts; then
    umount ${VE_ROOT}/tmp
    RETVAL=$?
    if [ ${RETVAL} -ne 0 ]; then
    # some logging?
    # do we need 'umount -f' here?
    exit ${RETVAL}
    fi
    # vzctl --verbose shows that on stop
    # 'vzquota stat id -f' is used -
    # don't know why. Pointless according
    # to manpage. We won't do it.
    vzquota off ${VPSTMP_QUOTAID}
    RETVAL=$?
    if [ ${RETVAL} -ne 0 ]; then
    # some logging?
    exit ${RETVAL}
    fi
    fi

    exit 0

    [root@classified barmaley]#
     
  18. skopii

    skopii Kilo Poster

    Messages:
    11
    This really seems like a lot of extra work. I just added the lines:
    none /tmp tmpfs nodev,nosuid,noexec 0 0
    none /var/tmp tmpfs nodev,nosuid,noexec 0 0
    none /dev/shm tmpfs nodev/nosuid,noexec 0 0

    to /etc/fstab. Seems to do the trick for me.
     
  19. fenster

    fenster Tera Poster

    Messages:
    429
    It does work, but do you really want to waste memory on /tmp partitions? The scripts in this topic make /tmp on disk which is a bit better.
     
  20. skopii

    skopii Kilo Poster

    Messages:
    11
    I do this on all servers, for the amount of space that sessions and sockets take up it's not a big deal. Occasionally I need to mount /var/tmp exec. It doesn't cause any problems for me.

    I would like to point out that I am not using mod_gzip. This doesn't seem to cause any problems for me.

    Perhaps Fenster is right though. I was just saying what I do..
     

Share This Page