securing your /tmp directory - how to

[alex@www tmp]$ touch alex.sh
[alex@www tmp]$ pwd
/tmp
[alex@www tmp]$ ls
alex.sh gconfd-root lost+found mapping-root
[alex@www tmp]$


Write a sample and stupid simple script to do testing:-
[alex@www tmp]vi /tmp/alex.sh
echo a;

note: just a line echo a will do, then save and quit.


Then, do chmod executable for the alex.sh to make it able to execute
[alex@www tmp]$ chmod a+x alex.sh

Run the script and see: -
[alex@www tmp]$ ./alex.sh
a
Note: SHIT, it is able to execute in the /tmp .. It is dangerous and not allow for the production server.

Switch user to root
[alex@www tmp]$ su -l root
Password:

Then, modify the /etc/fstab
[root@www ~]#vi /etc/fstab
/dev/md0 / ext3 defaults 1 1
/dev/md3 /var ext3 defaults 1 2
/dev/md2 /tmp ext3 loop,nosuid,noexec,rw 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/md1 swap swap defaults 0 0

note : just add on the bold part in the /tmp line :P will do

After that, do remount to make it available : -
[root@www ~]# mount -o remount /tmp

Re-run the script and see :-
[alex@www tmp]$ ls -la
total 72
drwxrwxrwt 7 root root 4096 Nov 15 18:50 .
drwxr-xr-x 24 root root 4096 Nov 8 17:49 ..
-rwxrwxr-x 1 alex alex 9 Nov 15 18:49 alex.sh
drwxrwxrwt 2 root root 4096 Nov 8 17:49 .font-unix
drwx------ 2 root root 4096 Nov 8 17:32 gconfd-root
srw-rw-rw- 1 root root 0 Nov 8 17:49 .gdm_socket
drwxrwxrwt 2 root root 4096 Nov 8 17:49 .ICE-unix
drwx------ 2 root root 16384 Nov 8 15:09 lost+found
srwxr-xr-x 1 root root 0 Nov 8 15:25 mapping-root
-rw------- 1 root root 1024 Nov 8 15:13 .rnd
-r--r--r-- 1 root root 11 Nov 8 17:49 .X0-lock
drwxrwxrwt 2 root root 4096 Nov 15 18:18 .X11-unix
-r--r--r-- 1 alex alex 11 Nov 15 18:18 .X2-lock

[alex@www tmp]$ ./alex.sh
-bash: ./alex.sh: Permission denied

see, it is permission denied :P wakakak
not able to execute anymore :P