View Categories

Mounting /tmp on a Separate File

Mounting /tmp on a Secure Loopback Device

Objective

This document outlines the steps to securely mount `/tmp` using a loopback device and bind it to `/var/tmp`, ensuring enhanced security by applying restrictions such as `noexec`, `nosuid`, and `nodev`.

1. Create the Mount Directory 

mkdir -p /usr/images/

This command creates the directory `/usr/images/` if it doesn’t already exist.
This directory will store the loopback file that will be used as the `/tmp` partition.

2. Create a 3GB Loopback File

dd if=/dev/zero of=/usr/images/tmpfile.bin bs=1 count=0 seek=3G

`dd` creates a blank file (`tmpfile.bin`) in `/usr/images/`.
`bs=1 count=0` ensures the file is not written immediately but is instead allocated virtually.
`seek=3G` specifies the file size (3GB).

3. Format the File as an ext4 Filesystem 

mkfs.ext4 /usr/images/tmpfile.bin

Converts `tmpfile.bin` into an ext4 filesystem, allowing it to be mounted like a normal disk.

4. Stop Services That Use /tmp 

systemctl stop mysql || systemctl stop lscpd.service || systemctl stop lshttpd.service || systemctl stop lsws.service

These services may be using `/tmp`. Stopping them prevents issues during unmounting.

5. Unmount /tmp 

umount /tmp
umount -l /tmp

`umount /tmp`: Unmounts `/tmp`.
`umount -l /tmp`: Uses force unmount to detach `/tmp` if it’s still in use.

6. Mount the New Loopback File as /tmp 

mount -o loop,rw,nodev,nosuid,noexec /usr/images/tmpfile.bin /tmp

Mounts `tmpfile.bin` as `/tmp` with:
`loop`: Uses it as a loopback device.
`rw`: Read/write access.
`nodev`: Prevents the creation of device files.
`nosuid`: Blocks execution of binaries with the SUID bit set.
`noexec`: Prevents execution of scripts and binaries in `/tmp`.

7. Set Proper Permissions for /tmp 

chmod 1777 /tmp

`chmod 1777`: Sets `/tmp` as world-writable (`777`) with the sticky bit (`1`), ensuring only the owner of a file can delete it.

8. Bind-Mount /tmp to /var/tmp 

mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp

Ensures `/var/tmp` follows the same restrictions as `/tmp`.

9. Update /etc/fstab for Persistent Mounting

vim /etc/fstab

Opens `/etc/fstab` for editing to make changes permanent.
Add these lines at the end of the file: 

/usr/images/tmpfile.bin   /tmp   ext4    loop,rw,noexec,nosuid,nodev    0 0
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Ensures `/tmp` and `/var/tmp` are automatically mounted at boot with security restrictions.

10. Apply the New fstab Configuration 

mount -a

Rereads `/etc/fstab` and mounts all file systems specified in it.

11. Restart Services

systemctl restart lscpd.service || systemctl restart mysql || systemctl restart lshttpd.service || systemctl restart lsws.service

Restarts all previously stopped services to ensure proper functionality.
The last command tries restarting `lsws`, and if that fails, it reloads the service instead.

Conclusion

Following these steps ensures that `/tmp` is securely mounted using a loopback device with necessary security restrictions (`noexec`, `nosuid`, `nodev`).
This protects the system from unauthorized execution of scripts and binaries within `/tmp`, improving overall security.