The idea is to create a separate file which will contain a filesystem for
/tmp directories for all VPSes and mount that file as a loop device
using noexec,nosuid options.



It can be done thusly:



1) Create a special file, and create a filesystem inside that file and mount it:



# dd if=/dev/zero of=/vz/tmpVE bs=1k count=2000000

# losetup /dev/loop0 /vz/tmpVE

# mkfs.ext2 /dev/loop0

# mkdir /vz/tmpVEs

# mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw



2) Add the following lines into /etc/sysconfig/vz-scripts/dists/scripts/postcreate.sh:



function vztmpsetup()

{



VEID=`basename $VE_ROOT`



cp /etc/sysconfig/vz-scripts/new.mount /etc/sysconfig/vz-scripts/$VEID.mount

cp /etc/sysconfig/vz-scripts/new.umount /etc/sysconfig/vz-scripts/$VEID.umount

if [ “$” != “” ]; then
[ -d /vz/tmpVEs/$ ] && rm -rf /vz/tmpVEs/$VEID/*
fi


chmod 755 /etc/sysconfig/vz-scripts/$VEID.mount

/etc/sysconfig/vz-scripts/$VEID.umount



}

 

vztmpsetup



exit 0



3) Create “/etc/sysconfig/vz-scripts/new.mount”:



#!/bin/bash

#

# if one of these files does not exist then something is really broken

[ -f /etc/sysconfig/vz ] || exit 1

[ -f $VE_CONFFILE ] || exit 1

[ -f /etc/sysconfig/vz-scripts/$VEID.conf ] || exit 1

# Source configuration files to access $VE_ROOT

. /etc/sysconfig/vz

. $VE_CONFFILE

[ -e /vz/tmpVEs/$VEID ] || mkdir /vz/tmpVEs/$VEID

mount —bind /vz/tmpVEs/$VEID $VE_ROOT/tmp



4) Create “/etc/sysconfig/vz-scripts/new.umount”:



#!/bin/bash

# if one of these files does not exist then something is really broken

[ -f /etc/sysconfig/vz ] || exit 1

[ -f $VE_CONFFILE ] || exit 1

# Source configuration files to access $VE_ROOT

. /etc/sysconfig/vz

. $VE_CONFFILE

# Unmount shared directory

if grep “/vz/root/$VEID/tmp” /proc/mounts >/dev/null; then

umount $VE_ROOT/tmp

fi



5) Add the following lines into “/etc/rc.sysinit”:



losetup /dev/loop0 /vz/tmpVE

mount /dev/loop0 /vz/tmpVEs -o noexec,nosuid,nodev,rw