≡ Menu

Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables. Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/

## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp

## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also

Sysadmin because even developers need heroes!!!

Share this tutorial on:
{ 11 comments… add one }
  • Wolfsrudel December 19, 2012, 7:23 am

    …and afterwards aptitude isn’t working anymore! :P

    If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

    // if /tmp is mounted non-executable
    DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
    DPkg::Post-Invoke {“mount -o remount /tmp”;};

    Kind regards.

  • ganto December 19, 2012, 9:57 am

    Debian (apt-get respectively) has some troubles when /tmp is mounted with ‘noexec’. Please check http://www.debian-administration.org/articles/57 for a work-around.

  • Jalal Hajigholamali December 20, 2012, 2:59 am

    Hi,

    Normally some applications generates script dynamically
    under /tmp and execute it…

    Thanks….

  • ali December 20, 2012, 4:42 am

    hi , thanks, it was good.

  • Dave May 1, 2013, 11:51 pm

    To mount /tmp and /var/tmp from within a VPS

    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

    To check the mounted ‘tmp’ partitions, execute

    mount | grep tmp

  • abdullah August 14, 2013, 5:10 pm

    Hello there thx you do this working with cpanel ?

  • Mohammed Khalid August 20, 2013, 10:30 am

    Hi

    Just want to know, Is there any downtime remounting /tmp filesystem.

    step 1. mount -o remount defaults,exec /tmp
    step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

    Thanks
    Mohammed Khalid

  • Dev Null March 22, 2016, 11:50 pm

    How would you go about allowing a specific application execute permission in /tmp?
    Let’s say you mount it with noexec per the tutorial but you want to allow a specific program to be able to…

  • M.Pasha October 7, 2016, 7:47 am

    Ok, so its stop executing files from these directory.
    nodev – no development.?
    nosuid – no suid for this partision.? so if any files resides in any of the above file system, if user try to execute, it will use file it will use user permission not the file permission.?
    is there any impact to any user in running linux?

    to remount all the new updated mount points, I guess “mount -a” will be enough, no need to type remount commands, any though on this.

  • Mikhail November 21, 2016, 4:01 pm

    Would you need to add rw to the settings?

    mount -o rw,remount,noexec,nosuid,nodev /tmp
    and

    rw,nofail,nodev,nosuid,noexec for fstab settings?

    • Vivek Gite November 22, 2016, 7:14 am

      Yes, if you want to do read and write on /tmp.

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , , , , ,