What is /dev/shm ?
/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. This will result into speeding up things on Linux. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost. By default almost all Linux distros configured to use /dev/shm.”
One of the major security issue with the /dev/shm is anyone can upload and execute files inside the /dev/shm similar to the /tmp partition. Follow the below steps to secure the tmpfs file system.
Edit the /etc/fstab and replace the following lines.
- # vi /etc/fstab
# tmpfs /dev/shm tmpfs defaults 0 0
- # tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid 0 0
Then unmount and remount the /dev/shm partiton to load the new settings.
- # umount /dev/shm
# mount /dev/shm
Check the setting using the mount command to make sure the /dev/shm is mounted with noexec,nodev,nosuid .