Thanks for all your input. I feel I must lock down the /tmp and /var/tmp and /dev/shm folder because, as far as I can tell, it does indeed effectively stop execution of scripts stored in those folders.
Here’s what I’m going to try on one of my servers’ fstab:
tmpfs /tmp tmpfs nosuid,noexec,nodev,rw 0 0
tmpfs /var/tmp tmpfs nosuid,noexec,nodev,rw 0 0
tmpfs /dev/shm tmpfs nosuid,noexec,nodev,rw 0 0
My understanding is I could have set the max size, eg.,
tmpfs /var/tmp tmpfs size=2048m,nosuid,noexec,nodev,rw 0 0
but, I’m gambling that shm is set to 50% of the physical ram in CentOS AND that when full, it will page over to the swap partition. If I’m right, on my machine there will be up to 4 Gigs of RAM to be shared amongst /dev/shm, /tmp, and /var/tmp which when full will page over to swap - which on my machine is 30gigs striped on 3 drives. It is indeed possible that some amount of thrashing will occur, but, I’m suspecting that will happen mostly at midnight UTC -7 while my traffic is reltively low and that otherwise, won’t be so bad (fingers crossed).
Another serious concern I have is that, if I understand correctly, /var/tmp is supposed to be persistent between boots… ehh… but, hey they don’t call it tmp for nothin’ and I’m too lazy to reinstall all this if I don’t have too.
I’ll post the results of how well it worked out-
Thanks,
Tony