Out of the box, the Ubuntu Server platform is fairly secure. However, there are always tweaks to be made to ensure you get the most out of your server security. One way to gain a considerable amount of security (based on the effort needed to set it up) is to enable secure shared memory.
Shared memory is an efficient means of passing data between programs. Because two or more processes can use the same memory space, it has been discovered that, since shared memory is, by default, mounted as read/write, the /run/shm space can be easily exploited. That translates to a weakened state of security. It should be noted that most of these exploits actually make use of vulnerabilities within a particular server software (such as Apache) and not the operating system itself. Even so, there has to be a way to prevent this type of exploit, right?
There is. And, fortunately, this can be easily overcome. What we are going to do is have /run/shm mounted in read-only mode, without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This will go a very long way to prevent those Linux machines in your data center from getting exploited.
Submitted by: Arnfried Walbrecht
Comments are closed.