Secure /tmp and /dev/shm directories in a OpenVZ enviroment

Tuesday, August 31, 2010 posted by Till

The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

#!/bin/bash
mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

Be Sociable, Share!



2 Responses to “Secure /tmp and /dev/shm directories in a OpenVZ enviroment”

  1. R2-D8 says:

    Is this needed for every ISPConfig-Installation on Virtual-Servers
    or is it meant to help when handling own OpenVZ-VMs?

Leave a Reply