linux下逻辑卷的tmp安全设置
#dd一个1g的文件,文件/.tmpfs
dd if=/dev/zero of=/.tmpfs bs=1m count=1000
#创建文件系统
mke2fs -j /.tmpfs
####################
mke2fs 1.41.12 (17-may-2010)
/.tmpfs is not a block special device.
proceed anyway? (y,n) y
filesystem label=
os type: linux
block size=4096 (log=2)
fragment size=4096 (log=2)
stride=0 blocks, stripe width=0 blocks
64000 inodes, 256000 blocks
12800 blocks (5.00%) reserved for the super user
first data block=0
maximum filesystem blocks=264241152
8 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
superblock backups stored on blocks:
32768, 98304, 163840, 229376
writing inode tables: done
creating journal (4096 blocks): done
writing superblocks and filesystem accounting information: done
this filesystem will be automatically checked every 32 mounts or
180 days, whichever comes first. use tune2fs -c or -i to override.
####################
#复制文件
cp -av /tmp /tmp.old
#挂载之前dd的文件
mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
#赋默认/tmp的权限
chmod 1777 /tmp
#把刚复制出去的文件移回来
mv -f /tmp.old/* /tmp/
#删除文件夹
rm -rf /tmp.old
#修改/etc/fstab 使它重启后自动挂载
/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
#软链接/var/tmp到/tmp
mv /var/tmp /var/tmp_bak
ln -s /tmp /var/tmp
cp -rf /var/tmp_bak/* /var/tmp
rm -rf /var/tmp_bak/
#测试
#分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限
[root@localhost /tmp]
# ls -la /tmp/|grep x.sh
-rwxrwxrwx 1 root root 22 jul 25 15:08 x.sh
[root@localhost /tmp]
# cat /tmp/x.sh
#!/bin/bash
echo test
[root@localhost /tmp]
# /tmp/x.sh
-bash: /tmp/x.sh: permission denied
[root@localhost /dev/shm]
# ls -la |grep x.sh
-rwxrwxrwx 1 root root 22 jul 25 15:08 x.sh
[root@localhost /dev/shm]
# cat x.sh
#!/bin/bash
echo test
[root@localhost /dev/shm]
# /dev/shm/x.sh
-bash: /dev/shm/x.sh: permission denied
#修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值
tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
mount -o remount /dev/shm/
广告位 |