Protecting File Systems and Files

ZFS file systems are lightweight and can be encrypted, compressed, and configured with reserved space and disk space limits.

The tmpfs file system can grow without bound. To prevent a denial of service (DOS) attack, complete How to Limit the Size of the tmpfs File System.

The following tasks configure a size limit for tmpfs and provide a glimpse of the protections that are available in ZFS, the default file system in Oracle Solaris. For additional information, see Setting ZFS Quotas and Reservations in Oracle Solaris 11.1 Administration: ZFS File Systems and the zfs(1M) man page.

How to Limit the Size of the tmpfs File System

The size of the tmpfs file system is not limited by default. Therefore, tmpfs can grow to fill the available system memory and swap. Because the /tmp directory is used by all applications and users, an application might occupy all available system memory. Similarly, an unprivileged user with malicious intent could cause a system slowdown by creating large files in the /tmp directory. To avoid a performance impact, you can limit the size of each tmpfs mount.

You might try several values to achieve best system performance.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

1. Determine the amount of memory on your system.

   ---

   Note - The SPARC T3 series system that is used for the example in this procedure has a solid state disk (ssd) for faster I/O and has eight 279.40 MB disks. The system has around 500 GB of memory.

   ---

   # prtconf | head
   System Configuration:  Oracle Corporation  sun4v
   Memory size: 523776 Megabytes
   System Peripherals (Software Nodes):
   
   ORCL,SPARC-T3-4
       scsi_vhci, instance #0
           disk, instance #4
           disk, instance #5
           disk, instance #6
           disk, instance #8

2. Compute a memory limit for tmpfs.

   Depending on the size of the system memory, you might want to compute a memory limit of around 20 percent for large systems and around 30 percent for smaller systems.

   So, for a smaller system, use .30 as the multiplier.

   10240M x .30 ≃ 340M

   For a larger system, use .20 as the multiplier.

   523776M x .20 ≃ 10475M

3. Modify the swap entry in the /etc/vfstab file with the size limit.

   # pfedit /etc/vfstab
   #device       device       mount           FS      fsck    mount mount
   #to mount     to fsck      point           type    pass    at boot options
   #
   /devices      -            /devices        devfs   -       no      -
   /proc         -            /proc           proc    -       no      -
   ctfs          -            /system/contract ctfs   -       no      -
   objfs         -            /system/object  objfs   -       no      -
   sharefs       -            /etc/dfs/sharetab  sharefs -    no      -
   fd            -            /dev/fd         fd      -       no      -
   swap          -            /tmp            tmpfs   -       yes     -
   swap          -            tmpfs           -       yes     size=10400m
   /dev/zvol/dsk/rpool/swap   -      -        swap    -       no      - 

4. Reboot the system.

   # reboot

5. Verify that the size limit is in effect.

   # mount -v
   swap on /system/volatile type tmpfs 
   read/write/setuid/devices/rstchown/xattr/dev=89c0006 on Fri Sep 7 14:07:27 2012
   swap on /tmp type tmpfs 
   read/write/setuid/devices/rstchown/xattr/size=10400m/dev=89c0006 on Fri ...

6. Monitor the memory usage and adjust it to the requirements of your site.

   The df command is somewhat useful. The swap command provides the most useful statistics.

   # df -h /tmp
   Filesystem Size Used Available Capacity Mounted on
   swap          7.  4G     44M    7.4G 1%       /tmp
   
   # swap -s
   total: 190248k bytes allocated + 30348k reserved = 220596k used,
   7743780k available 

   For more information, see the tmpfs(7FS), mount_tmpfs(1M), df(1M), and swap(1M) man pages.