• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Restricting Script Execution in the /tmp Directory

D

daanse

Regular Pleskian
Hi,

i'm using PLesk Onyx Servers. Is it important to create a new tmp Partition?
Will this be same like this Tutorial shows up? Enhancing Security

As in the Docs of Plesk Onyx it isn't described in that Place anymore.



Thx
 
Last edited:
It is vitally important to limit script execution in the /tmp partition. The manual section that you refer to describes how to create a new temporary directory and use it as a partition entry. This is only needed when the existing /tmp folder is a folder, but not a partition. Because on such a folder, execution permissions cannot be limited as needed.

If your /tmp is a partition already, you can simply run
# mount -o remount,noexec,nosuid,nodev /tmp
to remove execution permissions.
 
Hi @Peter Debik,

hm thank you. It doesn't seems so, bad. It probably will be risky to create a tmp Partition on a running System?
or to take some free space from existing Partition...... Or will the command in the docs wont touch existing Partitions?
Uhm...
 
Do not change partition size, layout or add or remove a partition on a running Linux system. It is a very risky process with a high likelikhood of loosing data or even render the whole system unless reinstalled.

For that reason, if you don't have /tmp as a partition, use the procedure from the documentation. It will not touch existing partitions, but reserve space on an existing partition and create an area in it that can be treated as a new partition.
 
@Peter Debik ,
thank you. That sounds good.
But its not clear to me how plesk knows what my new tmp folder is. Or am I missing something?
How do i tell Plesk where my new tmp folder/ partition is?
 
Plesk uses /tmp as the default. It does not need to know if that is a partition or a virtual partition or where a /tmp folder is located. So normally there should not be any need to change the configuration of Plesk. In the case that you want to use a different temporary directory or a different temporary directory for only some functions like PMM (migrator, backups), you can edit /etc/psa/psa.conf and enter the appropriate paths.
 
Hi @Peter Debik ,

i think i have got it.
But still feeling uncomfortable:
I did as docs said and got all Websites not running anymore. Something with /tmp/....... < Permission Denied>
So i additionally ran # chmod 1777 /tmp
But i am not sure if this is good, but at least Sites are running again.

Code: 
Filesystem      Size  Used Avail Use% Mounted on
......
/dev/loop0      3.9G  8.2M  3.7G   1% /tmp
and
Code: 
# ls -ld /tmp
drwxrwxrwt 9 root root 4096 Jun  5 07:33 /tmp

is that now more secure or did I not enhanced security after chmod tmp?
 
The setting 1777 is correct. Please check the first answer on What are common rights for /tmp ? I unintentionnally set it all public recursively to learn more about why and what.

You can test whether execution in /tmp is possible by creating a small .sh (bash shell) script that does something like displaying a message. Then give that script execution permissions in /tmp and try to run it from /tmp. It should not run if things have been done correctly.

You can check the "partition" settings with
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'
For the /tmp line, this should return "noexec" and "nosuid" in the result.
 
Hi @Peter Debik,

awesome, that sounds good.

My output:
Code: 
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=1639564k,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
/filesystems/tmp_fs on /tmp type ext3 (rw,nosuid,noexec,relatime,data=ordered)

looks good. I will test execution in that Folder.

I have another Question: The old Folders in /tmp/ with dots at the beginning, are they important? They did not moved back.
Bildschirmfoto 2017-06-05 um 11.02.08.jpg
Probably wont be important, as they are empty.

And is there any recommendation to how much space the tmp partition should have?
before i ran
Code: 
# du -sh /tmp
to get a Size and at least double it. But don't know if this will be enough.
 
Last edited:
Hmm, interesting question. The "missing" dot-folders should be there, and yes, they are important; at least the .X11-unix is. I wonder how that can be that they are not in place, yet the system obviously runs without trouble? Have you tried this with
# ls -la
(include the hidden files in output)?
 
hm,
yes i double checked Plesk CP and some Websites, and FTP. Everything seems fine after chmod 1777. Before everything was down.
I maybe not used the right command for moving the files back to tmp Folder.

Maybe this cmd:
Code: 
 cp -R /tmpbak/* /tmp/
would be right to have everything moved including dots files? I'm not sure.
 
You must log in or register to reply here.

Similar threads

M
Forwarded to devs Paragraph "Restricting Script Execution in the /tmp Directory" is missing in the "Advanced Administration Guide, Plesk for Linux Obsidian" guide
Replies
3
Views
732
IgorG
IgorG
H
Question Migrating from Centminmod to Plesk Obsidian on a Dedicated Hetzner Server
Replies
1
Views
113
Kaspar
K
M
Issue Can't open Port 25. Please help
Replies
2
Views
330
mhogue
M
I
Issue maria DB update plesk 18.0.50
Replies
10
Views
3K
Maarten.
M
S
Question open_basedir and WordPress, general consensus needed, configured or none?
Replies
6
Views
3K
Duarte N
D
Back
Top