Securing /tmp in a hosting env

[Erwin123]

On our physical servers we used to set the /tmp partition to noexec, this saved us a lot of trouble.
This is not possible with OpenVZ since there is no separate partition for /tmp.

I searched for a way to protect them anyway since we have a lot of problems with rogue scripts that get uploaded through customers scripts.

I found this thread:
http://www.eukhost.com/forums/f29/how-do-i-mount-tmp-vpses-noexec-nosuid-options-1025/#post14817

This is on a virtuozzo server, will this work for OpenVZ?

* Login to VPS Hosting.

* Edit /etc/fstab

- Under the existing line (there should only be one line)
- add >> none /tmp tmpfs nodev,nosuid,noexec 0 0
- Reboot the VPS Hosting to make the changes take effect.
- Log back in and enter "df -h" to see whether the changes have taken effect.

To protect all the tmp dirs in all containers on a node:

Since Virtuozzo 3.0 SP1 it is very easy to mount /tmp (and /var/tmp if needed) dir on VEs with noexec, nosuid, nodev options using introduced 'bindmount' technology. You can follow the steps below to mount /tmp and /var/tmp directories on all VEs with noexec,nosuid options.

1. Update Virtuozzo installation to Virtuozzo 3 SP1 using 'vzup2date' utility.

2. If you want to mount /tmp and /var/tmp on all VEs with noexec,nosuid,nodev options then do the following:
Insert the following line into the main Virtuozzo configuration file /etc/sysconfig/vz:
Quote:
BINDMOUNT="/tmp,nosuid,noexec,nodev /var/tmp,nosuid,noexec,nodev "
and restart all VEs.

Anyone any thoughts on this?

Edit: I see Parallels has its own knowledgebase article about it:
http://kb.parallels.com/en/648

 

[Erwin123]

none /tmp tmpfs nodev,nosuid,noexec 0 0

Seems to work indeed.
I will test some more and let you know if this works.