Mount /tmp with `noexec` and `nosuid` Options Inside chroot

Tags: January 15, 2013 6:55 AM

To add extract security on chroot environment, it's better to make the /tmp directory cannot execute a file by mounting /tmp with 'noexec' and 'nosuid' options.

Create Partiotion

To simplify just create loopback device file for mounting /tmp later. (The size of partition for this example is 50MB)
  • /opt/jail: chroot directory
  • /opt/tmpdisk.img: loopback device
# dd if=/dev/zero of=/opt/tmpdisk.img bs=1M count=50
# mkfs.ext4 /opt/tmpdisk.img
# mount -o loop,rw,noexec,nosuid /opt/tmpdisk.img /opt/jail/tmp
Verify to make sure the mounted partition has 'noexec' and 'nosuid'.
# mount
/opt/tmpdisk.img on /opt/jail/tmp type ext4 (rw,noexec,nosuid,commit=0)

Test the /tmp

Try to execute some of executable file inside /tmp directory.
# cp /opt/jail/bin/ls /opt/jail/tmp/
# chroot /opt/jail /bin/bash
# /bin/ls
# /tmp/ls
bash: /tmp/ls: Permission denied
# /lib/ /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared object: Operation not permitted

Share on Facebook Twitter


Post a Comment