CSEC_PUBLIC/the-practical-linux-hardening-guide
1
0
Fork 0
mirror of https://github.com/trimstray/the-practical-linux-hardening-guide.git synced 2025-12-06 17:22:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from FlorianHeigl/patch-1

Browse Source 
/dev/shm lockdown
This commit is contained in:
@trimstray
2019-01-22 15:39:25 +01:00
committed by GitHub
parent 66c1763738 0dd258d12f
commit ad4ab66e2e
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -540,12 +540,18 @@ And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
#### :eight_pointed_black_star: Secure /dev/shm
`/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition.
`/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory.
For applies to shared memory `/dev/shm` mount params:
```bash
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec 0 0
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
```
> You can also create a group named 'shm' and put application users for SHM-using applications in there. Then the access can be completely be restricted as such:
```bash
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
```
#### :eight_pointed_black_star: Secure /proc filesystem