[CentOS] Re: A question about RAID and partitions

Wed May 23 17:54:34 UTC 2007
Dhawal Doshy <dhawal at netmagicsolutions.com>

AbbaComm.Net wrote:
>> Agreed, i would though add a /tmp of 10G or so, mounted as noexec and
>> nosuid for web servers (running maybe insecure php apps or similar).
>>
> 
> Dhawal,
> 
> Are you saying that in /etc/fstab that the entry should be changed from
> 
> LABEL=/tmp	/tmp	ext3	defaults	1 2
> 
> To
> 
> LABEL=/tmp	/tmp	ext3	noop,noexec,nosuid,rw        1 2

minus the noop, which i'm not aware of..
LABEL=/tmp	/tmp	ext3	noexec,nosuid,rw        1 2

> Or do you do something slightly different?
> 
> Any drawbacks you have noticed on an internet facing web and mail server?

One some servers, we've had buggy/older versions of software like phpbb, 
awstats being exploited to to run rootkits from /tmp (OR /var/tmp), 
where the web server has write access. Tuning off exec has helped in 
letting the rootkit not get executed. No drawbacks so far, i can 
possibly only think of some log-reporting utility using /tmp for temp 
access filling it up.. but 10G ought to be sufficient in most cases if 
not make it larger..