CentOS下逻辑卷的tmp安全设置

分类:CentOS运维 阅读:69835 次

Centos默认安装无指定分区的时候,逻辑卷没有独立的/tmp 容易造成安全隐患,/dev/shm也是隐患之一

  1. #dd一个1G的文件,文件/.tmpfs

  2. ddif=/dev/zeroof=/.tmpfsbs=1Mcount=1000

  3. #创建文件系统

  4. mke2fs -j /.tmpfs

  5. ####################

  6. mke2fs 1.41.12 (17-May-2010)

  7. /.tmpfsisnotablockspecialdevice.

  8. Proceedanyway? (y,n)y

  9. Filesystemlabel=

  10. OStype: Linux

  11. Blocksize=4096(log=2)

  12. Fragmentsize=4096(log=2)

  13. Stride=0blocks, Stripewidth=0blocks

  14. 64000inodes, 256000blocks

  15. 12800blocks(5.00%)reservedforthesuperuser

  16. Firstdatablock=0

  17. Maximumfilesystemblocks=264241152

  18. 8blockgroups

  19. 32768blockspergroup, 32768fragmentspergroup

  20. 8000inodespergroup

  21. Superblockbackupsstoredonblocks:

  22. 32768, 98304, 163840, 229376

  23. Writinginodetables: done

  24. Creatingjournal(4096blocks): done

  25. Writingsuperblocksandfilesystemaccountinginformation: done

  26. Thisfilesystemwillbeautomaticallycheckedevery32mountsor

  27. 180days, whichevercomesfirst. Usetune2fs -cor -itooverride.

  28. ####################

  29. #复制文件

  30. cp -av /tmp /tmp.old

  31. #挂载之前dd的文件

  32. mount -oloop,noexec,nosuid,rw /.tmpfs /tmp

  33. #赋默认/tmp的权限

  34. chmod1777 /tmp

  35. #把刚复制出去的文件移回来

  36. mv -f /tmp.old/* /tmp/

  37. #删除文件夹

  38. rm -rf /tmp.old

  39. #修改/etc/fstab 使它重启后自动挂载

  40. /.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0

  41. #软链接/var/tmp到/tmp

  42. mv /var/tmp /var/tmp_bak

  43. ln -s /tmp /var/tmp

  44. cp -Rf /var/tmp_bak/* /var/tmp

  45. rm -rf /var/tmp_bak/

  46. #测试

  47. #分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限

  48. [root@localhost /tmp]

  49. # ls -lA /tmp/|grepx.sh

  50. -rwxrwxrwx1rootroot22Jul2515:08x.sh

  51. [root@localhost /tmp]

  52. # cat /tmp/x.sh

  53. #!/bin/bash

  54. echotest

  55. [root@localhost /tmp]

  56. # /tmp/x.sh

  57. -bash: /tmp/x.sh: Permissiondenied

  58. [root@localhost /dev/shm]

  59. # ls -lA |grep x.sh

  60. -rwxrwxrwx1rootroot22Jul2515:08x.sh

  61. [root@localhost /dev/shm]

  62. # cat x.sh

  63. #!/bin/bash

  64. echotest

  65. [root@localhost /dev/shm]

  66. # /dev/shm/x.sh

  67. -bash: /dev/shm/x.sh: Permissiondenied

  1. #修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值

  2. tmpfs/dev/shmtmpfsdefaults,nosuid,noexec,rw00

  3. mount -oremount /dev/shm/