Good Idea / Bad Idea - /dev/shm with nosuid, nodev, and noexec

Steve Alligood steve at betterlinux.com
Fri Jul 27 18:07:47 MDT 2012


I have seen multiple script kiddies try to hide stuff in /dev/shm due to it generally being available and allowing executables.  No exec is a good idea, though I would test any important apps before doing production that way.

On a side note, the best deterrent I have found for script kiddies was to lock down outbound connections to only specifically what you need.  If they cannot connect out, the server becomes a lot less desirable.  Of course, keeping them out in the first place is best, but you cannot always control that with other users that can run whatever they want to.

-Steve

Sent from my iPhone

On Jul 27, 2012, at 5:38 PM, Joshua Marsh <joshua at themarshians.com> wrote:

> On Fri, Jul 27, 2012 at 5:05 PM, Jacob Albretsen <jakea at xmission.com> wrote:
> 
>> I am hardening some CentOS 5 and 6 boxes, and one of the recommendations
>> I'm
>> reading is to mount  /dev/shm with nosuid, nodev, and noexec.  I've read
>> about
>> what /dev/shm is, but I lack a deeper understanding.  I've seen some things
>> online talking about it, but nothing concrete as to why it's a good idea
>> other
>> than "it's more secure".  Can anyone enlighten me more about this? I don't
>> want to run into any unintended issues down the road (will XYZ services
>> still
>> work, can I still run VMs, etc etc)
>> 
>> 


More information about the PLUG mailing list