Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

by on December 19, 2012 · 7 comments· LAST UPDATED December 19, 2012

in

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsLinux
Estimated completion timeN/A
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/
## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp
## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 Wolfsrudel December 19, 2012 at 7:23 am

…and afterwards aptitude isn’t working anymore! :P

If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

// if /tmp is mounted non-executable
DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
DPkg::Post-Invoke {“mount -o remount /tmp”;};

Kind regards.

Reply

2 ganto December 19, 2012 at 9:57 am

Debian (apt-get respectively) has some troubles when /tmp is mounted with ‘noexec’. Please check http://www.debian-administration.org/articles/57 for a work-around.

Reply

3 Jalal Hajigholamali December 20, 2012 at 2:59 am

Hi,

Normally some applications generates script dynamically
under /tmp and execute it…

Thanks….

Reply

4 ali December 20, 2012 at 4:42 am

hi , thanks, it was good.

Reply

5 Dave May 1, 2013 at 11:51 pm

To mount /tmp and /var/tmp from within a VPS

mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

To check the mounted ‘tmp’ partitions, execute

mount | grep tmp

Reply

6 abdullah August 14, 2013 at 5:10 pm

Hello there thx you do this working with cpanel ?

Reply

7 Mohammed Khalid August 20, 2013 at 10:30 am

Hi

Just want to know, Is there any downtime remounting /tmp filesystem.

step 1. mount -o remount defaults,exec /tmp
step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

Thanks
Mohammed Khalid

Reply

Leave a Comment

Tagged as: , , , , , , ,

Previous Faq:

Next Faq: