Out of the box, the Ubuntu Server platform is fairly secure. However, there are always tweaks to be made to ensure you get the most out of your server security. One way to gain a considerable amount of security (based on the effort needed to set it up) is to enable secure shared memory.
What is shared memory?
Shared memory is an efficient means of passing data between programs. Because two or more processes can use the same memory space, it has been discovered that, since shared memory is, by default, mounted as read/write, the /run/shm space can be easily exploited. That translates to a weakened state of security. It should be noted that most of these exploits actually make use of vulnerabilities within a particular server software such as Apache and not the operating system itself. Even so, there has to be a way to prevent this type of exploit, right?
There is. And, fortunately, this can be easily overcome. What we are going to do is have /run/shm mounted in read-only mode, without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This will go a very long way to prevent those Linux machines in your data center from getting exploited.
The necessary change
Setting /run/shm to read-only is actually quite simple. All you have to do is open up the /etc/fstab file and add one line of code. To do this, open up the file with the command sudo nano /etc/fstab and copy and paste the following line to the bottom of the file:
none /run/shm tmpfs defaults,ro 0 0
Save and close the file. You can then test to make sure there are no errors in /etc/fstab with the command sudo mount -a. If no warnings or errors are displayed, reboot the server and enjoy your new secure shared memory.
The one caveat
There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application that requires such access to the shared memory or standard applications like Google Chrome). If that’s the case, the line of code to be added will be:
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. Still more secure than the default.
Use with caution
As I mentioned earlier, you might find that certain applications will not function with shared memory in read-only mode. So a bit of testing might be in order. If you’re looking to gain the most security out of your Linux machines in your data center, it will be worth the time to give this configuration a try.