Securing your /tmp directory could save you from an un-updated PHP script, where someone attempts to write an executable program with malicous code too.
I AM NOT RESPONSIBLE FOR ANY PROBLEMS THIS MAY CAUSE
that being said, lets get to it:
Create 500MB file for our /tmp partition. If you need more space, make count size larger.
dd if=/dev/zero of=tmpMnt bs=1024 count=500000
Make an extended filesystem for our tmpMnt file
Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.
cp -pR /tmp /tmp_backup
Mount the new /tmp filesystem with noexec
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 0777 /tmp
Copy everything back to new /tmp and remove backup
cp -pR /tmp_backup/* /tmp/
Now we need to add this to fstab so it mounts automatically on reboots.
pico -w /etc/fstab
You should see something like this:
/dev/hda3 / ext3 defaults,usrquota 1 1 /dev/hda1 /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 /dev/hda2 swap swap defaults 0 0
At the bottom add:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
(Each space is a tab)
Ctrl + X and Y
Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x’ed), it gives the following error:
bash: ./a.out: Permission denied
good luck! if it is causing problems with any of your software, you could remove the entry from fstab, reboot and then delete /tmp and recreate it to bring it back to normal.