linux默认安装无指定分区的时候,逻辑卷没有独立的/tmp 容易造成安全隐患,/dev/shm也是隐患之一
#dd一个1G的文件,文件/.tmpfs
dd if=/dev/zero of=/.tmpfs bs=1M count=1000
#创建文件系统
mke2fs -j /.tmpfs
####################
mke2fs 1.41.12 (17-May-2010)
/.tmpfs is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
64000 inodes, 256000 blocks
12800 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=264241152
8 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 32 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
####################
#复制文件
cp -av /tmp /tmp.old
#挂载之前dd的文件
mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
#赋默认/tmp的权限
chmod 1777 /tmp
#把刚复制出去的文件移回来
mv -f /tmp.old/* /tmp/
#删除文件夹
rm -rf /tmp.old
#修改/etc/fstab 使它重启后自动挂载
/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
#软链接/var/tmp到/tmp
mv /var/tmp /var/tmp_bak
ln -s /tmp /var/tmp
cp -Rf /var/tmp_bak/* /var/tmp
rm -rf /var/tmp_bak/
#测试
#分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限
[root@localhost /tmp]
# ls -lA /tmp/|grep x.sh
-rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh
[root@localhost /tmp]
# cat /tmp/x.sh
#!/bin/bash
echo test
[root@localhost /tmp]
# /tmp/x.sh
-bash: /tmp/x.sh: Permission denied
[root@localhost /dev/shm]
# ls -lA |grep x.sh
-rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh
[root@localhost /dev/shm]
# cat x.sh
#!/bin/bash
echo test
[root@localhost /dev/shm]
# /dev/shm/x.sh
-bash: /dev/shm/x.sh: Permission denied
#修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值 tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0 mount -o remount /dev/shm/
近期评论