How-To

Securing /tmp on a linux server

Alex KondratievAlex Kondratiev
Pavlo KonobeyevPavlo Konobeyev

4 min read

One of the first things we do here at ITsyndicate is to secure /tmp /var/tmp and /dev/shm to prevent common exploits and rootkits from having their way with a server. This method doesn’t prevent users from uploading content to those directories, but it disables their direct execution and the suid buffer overflow exploit.

Securing /tmp directory

This directory is used by Apache, MySQL and PHP, among others, to store temporary data as well as lock files and sockets. You have probably seen a lot of session files and the mysql.sock file under it, but sometimes attackers can upload and execute exploits with a PHP injection via Apache.

Step 1: Backup /etc/fstab

shell
1cp -a /etc/fstab /etc/fstab.bak

Step 2: Make a 3GB file and format it with ext3

We will be placing this file under /var but you can choose whatever partition works best for you.
shell
1dd if=/dev/zero of=/var/tempFS bs=1024 count=3072000/sbin/mkfs.ext3 /var/tempFS

Step 3: Create a backup copy of your current /tmp

shell
1rsync -av /tmp/ /tmpbackup/

Step 4: Mount our new tmp partition and change permissions

shell
1mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
2chmod 1777 /tmp

Step 5: Copy the old data

shell
1rsync -av /tmpbackup/ /tmp/

Step 6: Update fstab

Add this line or replace the existing /tmp line in the /etc/fstab:

typescript
1/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0

Step 7: Test your fstab entry

shell
1mount -o remount /tmp

Step 8: Verify that your /tmp mount is working

If you run df -h, the output should look like this:

/var/tempFS 962M 18M 896M 2% /tmp

Some data centers create a /tmp partition when they provision the server so you only have to add the options noexec and nosuid to /etc/fstab, remount the partition and restart everything that uses /tmp

Securing /var/tmp

Now this directory is pretty much the same as /tmp, with the exception that /var/tmp will not be purged on every reboot, which is something that we do want, so we’ll be removing /var/tmp but making it available under /tmp with a symbolic link.

Step 1: Rename /var/tmp and create a symbolic link to /tmp

shell
1mv /var/tmp /var/vartmp
2ln -s /tmp /var/tmp
3

Step 2: Copy the old data back

shell
1rsync -av /var/vartmp/ /tmp/

Step 3: Remove /var/vartmp

shell
1rm -rf /var/vartmp

Securing /dev/shm

/dev/shm is nothing but the implementation of the traditional shared memory concept. It is an efficient way to pass data between programs, but the problem is that everyone can create, read, and execute files on it by default.

Step 1: Edit your /etc/fstab

Edit the /etc/fstab file and locate:none /dev/shm tmpfs defaults,rw 0 0

Change it to:none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Step 2: Remount /dev/shm:

shell
1mount -o remount /dev/shm

You are done! Your tmp is secured.

Alex Kondratiev

Alex Kondratiev

Founder of ITsyndicate. DevOps Enthusiast with 15+ years of experience in cloud, Infrastructure as Code, Kubernetes, and automation. Specialized in architecting secure, scalable, and resilient systems.

How to Run a Docker Container on Your Local Machine

This article is a quick, hands-on guide to running Docker locally. It walks through essential CLI commands for managing images and containers (build, pull, run, ps, start/stop, rm/rmi) and shows how to automate image creation with a Dockerfile. You’ll build an image, run a container with port mapping, verify it’s running, and learn tips for environment setup - everything you need to spin up and manage local containers efficiently.

A guide how to restart Kubernetes pods with kubectl

Even in well-designed Kubernetes environments, you may occasionally need to restart pods due to factors such as a cluster outage, a pod failure, or configuration changes.

Connecting to Docker Host from Docker Container

Learn how to connect from a Docker container to the Docker host. This capability can be handy for development tasks such as managing other containers, performing backups, or building a simple admin interface to manage them.

Plan the present.
Build the future.