Secure /tmp and /dev/shm directories in a OpenVZ enviroment

The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

#!/bin/bash
mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

facebooktwittergoogle_plusredditlinkedinmail

2 thoughts on “Secure /tmp and /dev/shm directories in a OpenVZ enviroment”

  1. Is this needed for every ISPConfig-Installation on Virtual-Servers
    or is it meant to help when handling own OpenVZ-VMs?

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>