(ve):Noexec and /tmp troubleshooting

  • This page was last modified on December 15, 2010, at 17:59.
The (mt) Community Wiki is a collaborative project. Any (mt) Media Temple customer or employee may contribute. Not all articles and/or content have been tested for accuracy by (mt) Media Temple.

For officially moderated and tested articles, be sure to visit our KnowledgeBase.

From (mt) Community Wiki

Contents

Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. As a security precaution, /tmp is mounted with noexec. This is a good thing and should generally stay this way. There are some circumstances where you may need to have /tmp executable.

Instructions

The process is a bit different for the (ve) Server. Depending on what function you're using /tmp, you have a few options to bypass this restriction. To get around this issue when using apt-get/aptitude, you can run the following one-liner to use /var/local/tmp instead of /tmp: 

echo "APT::ExtractTemplates::TempDir \"/var/local/tmp\";" | tee /etc/apt/apt.conf.d/50extracttemplates && mkdir /var/local/tmp/

Another issue might occur if you attempt to install PECL extensions. To set up a new temporary directory where the extensions are compiled, issue the following commands: 

mkdir -p ~/tmp/pear/cache
mkdir -p ~/tmp/pear/temp
pear config-set download_dir ~/tmp/pear/cache
pear config-set temp_dir ~/tmp/pear/temp

If you're simply running ./configure to compile something, most Linux utilities will honor the TMPDIR option. TMPDIR is the canonical Unix environment variable that points to user scratch space. This will denote the scratch area for temporary files instead of the common default of /tmp. Other forms sometimes accepted are TEMP, TEMPDIR, and TMP but these are used more commonly by non-POSIX operating systems.

Another option is to simply umount /tmp or /var/tmp: 

umount /tmp; umount /var/tmp

Keep in mind that if you reboot your (ve) after you've done this, /tmp and /var/tmp will return to 'noexec'.

Finally, if you're still having trouble, you can bind /tmp to another directory with executable permissions: 

mkdir ~/tmp
mount --bind ~/tmp /tmp

When you're finished up, umount the new ~/tmp directory: 

umount /tmp

Chrooted /tmp directory

There is also a new method that ensures that no processes currently accessing /tmp are interrupted in any way. This also ensures that your /tmp that allows execution is never accessible to currently running processes. This limits your exposure to possible exploits.

First, create a chrooted environment that contains a tmp directory that allows file execution: 

root@ve01:~# mkdir -p /root/chroot /root/tmp
root@ve01:~# mount --bind / /root/chroot
root@ve01:~# mount --bind /root/tmp /root/chroot/tmp
root@ve01:~#

Next chroot into the environment you created. 

root@ve01:~# chroot /root/chroot
root@ve01:/#

At this point, you are in the chrooted environment and can run any commands you need to. When you are done, simply type the command 'exit'. 

root@ve01:/# exit
exit
root@ve01:~#

Now you are back to your normal environment.

Retrieved from "http://wiki.mediatemple.net/w/(ve):Noexec_and_/tmp_troubleshooting"