linux下逻辑卷的tmp安全设置

9月 4
Year 2013 小桥流水人家 Linux

linux默认安装无指定分区的时候,逻辑卷没有独立的/tmp 容易造成安全隐患,/dev/shm也是隐患之一

  1. #dd一个1G的文件,文件/.tmpfs
  2. dd if=/dev/zero of=/.tmpfs bs=1M count=1000
  3.  
  4. #创建文件系统
  5. mke2fs -j /.tmpfs
  6.  
  7. ####################
  8. mke2fs 1.41.12 (17-May-2010)
  9. /.tmpfs is not a block special device.
  10. Proceed anyway? (y,n) y
  11. Filesystem label=
  12. OS type: Linux
  13. Block size=4096 (log=2)
  14. Fragment size=4096 (log=2)
  15. Stride=0 blocks, Stripe width=0 blocks
  16. 64000 inodes, 256000 blocks
  17. 12800 blocks (5.00%) reserved for the super user
  18. First data block=0
  19. Maximum filesystem blocks=264241152
  20. 8 block groups
  21. 32768 blocks per group, 32768 fragments per group
  22. 8000 inodes per group
  23. Superblock backups stored on blocks:
  24.         32768, 98304, 163840, 229376
  25.  
  26. Writing inode tables: done                           
  27. Creating journal (4096 blocks): done
  28. Writing superblocks and filesystem accounting information: done
  29.  
  30. This filesystem will be automatically checked every 32 mounts or
  31. 180 days, whichever comes firstUse tune2fs -c or -i to override.
  32. ####################
  33.  
  34. #复制文件
  35. cp -av /tmp /tmp.old
  36.  
  37. #挂载之前dd的文件
  38. mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
  39.  
  40. #赋默认/tmp的权限
  41. chmod 1777 /tmp
  42.  
  43. #把刚复制出去的文件移回来
  44. mv -f /tmp.old/* /tmp/
  45.  
  46. #删除文件夹
  47. rm -rf /tmp.old
  48.  
  49.  
  50. #修改/etc/fstab 使它重启后自动挂载
  51. /.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
  52.  
  53. #软链接/var/tmp到/tmp
  54. mv /var/tmp /var/tmp_bak
  55. ln -s /tmp /var/tmp
  56. cp -Rf /var/tmp_bak/* /var/tmp
  57. rm -rf /var/tmp_bak/
  58.  
  59. #测试
  60. #分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限
  61. [root@localhost  /tmp]
  62. # ls -lA /tmp/|grep x.sh
  63. -rwxrwxrwx  1 root root     22 Jul 25 15:08 x.sh
  64.  
  65. [root@localhost  /tmp]
  66. # cat /tmp/x.sh 
  67. #!/bin/bash
  68. echo test
  69.  
  70. [root@localhost  /tmp]
  71. # /tmp/x.sh    
  72. -bash: /tmp/x.sh: Permission denied
  73.  
  74. [root@localhost  /dev/shm]
  75. # ls -lA |grep x.sh
  76. -rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh
  77.  
  78. [root@localhost  /dev/shm]
  79. # cat x.sh
  80. #!/bin/bash
  81. echo test
  82.  
  83. [root@localhost  /dev/shm]
  84. # /dev/shm/x.sh
  85. -bash: /dev/shm/x.sh: Permission denied
  1. #修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值
  2. tmpfs   /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
  3. mount -o remount /dev/shm/
, , , Leave a comment

强帖留名: