≡ Menu

Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsLinux
Estimated completion timeN/A
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/
## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp
## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 7 comments… add one }

  • Wolfsrudel December 19, 2012, 7:23 am

    …and afterwards aptitude isn’t working anymore! :P

    If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

    // if /tmp is mounted non-executable
    DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
    DPkg::Post-Invoke {“mount -o remount /tmp”;};

    Kind regards.

  • ganto December 19, 2012, 9:57 am

    Debian (apt-get respectively) has some troubles when /tmp is mounted with ‘noexec’. Please check http://www.debian-administration.org/articles/57 for a work-around.

  • Jalal Hajigholamali December 20, 2012, 2:59 am

    Hi,

    Normally some applications generates script dynamically
    under /tmp and execute it…

    Thanks….

  • ali December 20, 2012, 4:42 am

    hi , thanks, it was good.

  • Dave May 1, 2013, 11:51 pm

    To mount /tmp and /var/tmp from within a VPS

    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

    To check the mounted ‘tmp’ partitions, execute

    mount | grep tmp

  • abdullah August 14, 2013, 5:10 pm

    Hello there thx you do this working with cpanel ?

  • Mohammed Khalid August 20, 2013, 10:30 am

    Hi

    Just want to know, Is there any downtime remounting /tmp filesystem.

    step 1. mount -o remount defaults,exec /tmp
    step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

    Thanks
    Mohammed Khalid

Leave a Comment