Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

Posted on in Categories last updated December 19, 2012

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables. Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/

## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp

## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output
Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also

11 comment

  1. …and afterwards aptitude isn’t working anymore! :P

    If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

    // if /tmp is mounted non-executable
    DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
    DPkg::Post-Invoke {“mount -o remount /tmp”;};

    Kind regards.

  2. To mount /tmp and /var/tmp from within a VPS

    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

    To check the mounted ‘tmp’ partitions, execute

    mount | grep tmp

  3. Hi

    Just want to know, Is there any downtime remounting /tmp filesystem.

    step 1. mount -o remount defaults,exec /tmp
    step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

    Thanks
    Mohammed Khalid

  4. How would you go about allowing a specific application execute permission in /tmp?
    Let’s say you mount it with noexec per the tutorial but you want to allow a specific program to be able to…

  5. Ok, so its stop executing files from these directory.
    nodev – no development.?
    nosuid – no suid for this partision.? so if any files resides in any of the above file system, if user try to execute, it will use file it will use user permission not the file permission.?
    is there any impact to any user in running linux?

    to remount all the new updated mount points, I guess “mount -a” will be enough, no need to type remount commands, any though on this.

  6. Would you need to add rw to the settings?

    mount -o rw,remount,noexec,nosuid,nodev /tmp
    and

    rw,nofail,nodev,nosuid,noexec for fstab settings?

Leave a Comment