The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

#!/bin/bash
mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

Secure /tmp and /dev/shm directories in a OpenVZ enviroment
Facebooktwittergoogle_plusredditlinkedinmail
Tagged on:         

2 thoughts on “Secure /tmp and /dev/shm directories in a OpenVZ enviroment

  • June 10, 2011 at 2:16 am
    Permalink

    Is this needed for every ISPConfig-Installation on Virtual-Servers
    or is it meant to help when handling own OpenVZ-VMs?

    Reply
    • June 10, 2011 at 9:40 am
      Permalink

      This is OpenVZ specific.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *