The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

Secure /tmp and /dev/shm directories in a OpenVZ enviroment
Tagged on:         

2 thoughts on “Secure /tmp and /dev/shm directories in a OpenVZ enviroment

  • Avatar
    June 10, 2011 at 2:16 am

    Is this needed for every ISPConfig-Installation on Virtual-Servers
    or is it meant to help when handling own OpenVZ-VMs?

    • Avatar
      June 10, 2011 at 9:40 am

      This is OpenVZ specific.


Leave a Reply

Your email address will not be published. Required fields are marked *