Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements Linux
Est. reading time N/A
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/

## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp

## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 12 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
12 comments… add one
  • Wolfsrudel Dec 19, 2012 @ 7:23

    …and afterwards aptitude isn’t working anymore! :P

    If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

    // if /tmp is mounted non-executable
    DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
    DPkg::Post-Invoke {“mount -o remount /tmp”;};

    Kind regards.

  • ganto Dec 19, 2012 @ 9:57

    Debian (apt-get respectively) has some troubles when /tmp is mounted with ‘noexec’. Please check for a work-around.

  • Jalal Hajigholamali Dec 20, 2012 @ 2:59


    Normally some applications generates script dynamically
    under /tmp and execute it…


  • ali Dec 20, 2012 @ 4:42

    hi , thanks, it was good.

  • Dave May 1, 2013 @ 23:51

    To mount /tmp and /var/tmp from within a VPS

    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

    To check the mounted ‘tmp’ partitions, execute

    mount | grep tmp

  • abdullah Aug 14, 2013 @ 17:10

    Hello there thx you do this working with cpanel ?

  • Mohammed Khalid Aug 20, 2013 @ 10:30


    Just want to know, Is there any downtime remounting /tmp filesystem.

    step 1. mount -o remount defaults,exec /tmp
    step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

    Mohammed Khalid

  • Dev Null Mar 22, 2016 @ 23:50

    How would you go about allowing a specific application execute permission in /tmp?
    Let’s say you mount it with noexec per the tutorial but you want to allow a specific program to be able to…

  • M.Pasha Oct 7, 2016 @ 7:47

    Ok, so its stop executing files from these directory.
    nodev – no development.?
    nosuid – no suid for this partision.? so if any files resides in any of the above file system, if user try to execute, it will use file it will use user permission not the file permission.?
    is there any impact to any user in running linux?

    to remount all the new updated mount points, I guess “mount -a” will be enough, no need to type remount commands, any though on this.

  • Mikhail Nov 21, 2016 @ 16:01

    Would you need to add rw to the settings?

    mount -o rw,remount,noexec,nosuid,nodev /tmp

    rw,nofail,nodev,nosuid,noexec for fstab settings?

    • 🐧 Vivek Gite Nov 22, 2016 @ 7:14

      Yes, if you want to do read and write on /tmp.

  • MikeOh Shark Sep 30, 2020 @ 15:27

    I found this page while searching for a way to make hot-plugged USB drives mount as noexec. It appears fuse mounted drives mount as nosuid and nodev by default but I want to add noexec only for flash drives.

    My use case is a Linux desktop which uses Xfce.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum