linux默认安装无指定分区的时候,逻辑卷没有独立的/tmp 容易造成安全隐患,/dev/shm也是隐患之一
#dd一个1G的文件,文件/.tmpfs dd if=/dev/zero of=/.tmpfs bs=1M count=1000 #创建文件系统 mke2fs -j /.tmpfs #################### mke2fs 1.41.12 (17-May-2010) /.tmpfs is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 64000 inodes, 256000 blocks 12800 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=264241152 8 block groups 32768 blocks per group, 32768 fragments per group 8000 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 32 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. #################### #复制文件 cp -av /tmp /tmp.old #挂载之前dd的文件 mount -o loop,noexec,nosuid,rw /.tmpfs /tmp #赋默认/tmp的权限 chmod 1777 /tmp #把刚复制出去的文件移回来 mv -f /tmp.old/* /tmp/ #删除文件夹 rm -rf /tmp.old #修改/etc/fstab 使它重启后自动挂载 /.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0 #软链接/var/tmp到/tmp mv /var/tmp /var/tmp_bak ln -s /tmp /var/tmp cp -Rf /var/tmp_bak/* /var/tmp rm -rf /var/tmp_bak/ #测试 #分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限 [root@localhost /tmp] # ls -lA /tmp/|grep x.sh -rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh [root@localhost /tmp] # cat /tmp/x.sh #!/bin/bash echo test [root@localhost /tmp] # /tmp/x.sh -bash: /tmp/x.sh: Permission denied [root@localhost /dev/shm] # ls -lA |grep x.sh -rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh [root@localhost /dev/shm] # cat x.sh #!/bin/bash echo test [root@localhost /dev/shm] # /dev/shm/x.sh -bash: /dev/shm/x.sh: Permission denied
#修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值 tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0 mount -o remount /dev/shm/
近期评论