By default, /tmp directory is under / partition. In this guide, I’ll show you how you can create a separate partition for /tmp on LVM and mount it with some restrictions for security purposes.
We’re going to mount /tmp with options:
- noexec: This protects your system from a number of local and remote exploits of rootkits being run from your /tmp folder. It disables direct execution of any binaries on the mounted filesystem.
- nosuid : This specifies that the filesystem cannot allow set-user-identifier or set-group-identifier bits to take effect.
- nodev: Do not interpret block special devices on the file system.
- rw: Mount the file system with read/write permissions
1) Create LVM Logical volume for /tmp
First, you may need to check available space on your volume group using the command:
$ sudo vgs cpanel-backups 1 2 0 wz--n- 299.99g 39.99g
As you can see from my cpanel-backups volume group, I have free 40gb space. I’ll create a 10gb partition for /tmp filesystem.
$ sudo lvcreate -n tmp -L 10G cpanel-backups Logical volume "tmp" created.
Create filesystem:
sudo mkfs.xfs /dev/mapper/cpanel--backups-tmp
This will create an XFS filesystem type. Configure fstab for persistent mounting:
$ sudo vim /etc/fstab /dev/mapper/cpanel--backups-tmp /tmp xfs loop,nosuid,noexec,nodev,rw 0 0
Mount newly created filesystem running mount -a command:
$ sudo mount -a $ df -hT | grep /tmp xfs 10G 34M 10G 1% /tmp
Good!, we can see it was mounted successfully.
2) Create /tmp file using the dd or fallocate command
Instead of using an LVM, you can also create a 10 GB file on your / filesystem for our /tmp partition. If you need more space, make count size larger.
$ sudo dd if=/dev/zero of=/tmp-file bs=1 count=0 seek=10G 0+0 records in 0+0 records out 0 bytes (0 B) copied, 0.000180463 s, 0.0 kB/s
Check file size:
$ ls -lh /tmp-file -rw-r--r-- 1 root root 10G Apr 23 14:53 /tmp-file
Create a filesystem:
sudo mkfs.xfs /tmp-file
Mount it in a similar way to LVM one.
$ sudo vim /etc/fstab /tmp-file /tmp xfs loop,nosuid,noexec,nodev,rw 0 0
You can also create a 10GB file using the fallocate command on your Linux server. The general syntax is:
fallocate [-n] [-o offset] -l length filename
Example:
sudo fallocate -l 10G /tmp-file
The length and offset arguments may be followed a decimal (10^N) suffixes KB, MB, GB, PB, and EB.
