Linux Security: Mount /tmp With nodev, nosuid, and noexec Options

How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables.
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsLinux
TimeN/A
Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

ADVERTISEMENTS

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/

## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp

## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
11 comments… add one
  • Wolfsrudel Dec 19, 2012 @ 7:23

    …and afterwards aptitude isn’t working anymore! :P

    If this is the case – and it will be! – edit your ‘/etc/apt/apt.conf’ and add the following lines:

    // if /tmp is mounted non-executable
    DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
    DPkg::Post-Invoke {“mount -o remount /tmp”;};

    Kind regards.

  • ganto Dec 19, 2012 @ 9:57

    Debian (apt-get respectively) has some troubles when /tmp is mounted with ‘noexec’. Please check http://www.debian-administration.org/articles/57 for a work-around.

  • Jalal Hajigholamali Dec 20, 2012 @ 2:59

    Hi,

    Normally some applications generates script dynamically
    under /tmp and execute it…

    Thanks….

  • ali Dec 20, 2012 @ 4:42

    hi , thanks, it was good.

  • Dave May 1, 2013 @ 23:51

    To mount /tmp and /var/tmp from within a VPS

    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
    mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

    To check the mounted ‘tmp’ partitions, execute

    mount | grep tmp

  • abdullah Aug 14, 2013 @ 17:10

    Hello there thx you do this working with cpanel ?

  • Mohammed Khalid Aug 20, 2013 @ 10:30

    Hi

    Just want to know, Is there any downtime remounting /tmp filesystem.

    step 1. mount -o remount defaults,exec /tmp
    step 2. mount -o remount defaults,noexec,nosuid,nodev /tmp

    Thanks
    Mohammed Khalid

  • Dev Null Mar 22, 2016 @ 23:50

    How would you go about allowing a specific application execute permission in /tmp?
    Let’s say you mount it with noexec per the tutorial but you want to allow a specific program to be able to…

  • M.Pasha Oct 7, 2016 @ 7:47

    Ok, so its stop executing files from these directory.
    nodev – no development.?
    nosuid – no suid for this partision.? so if any files resides in any of the above file system, if user try to execute, it will use file it will use user permission not the file permission.?
    is there any impact to any user in running linux?

    to remount all the new updated mount points, I guess “mount -a” will be enough, no need to type remount commands, any though on this.

  • Mikhail Nov 21, 2016 @ 16:01

    Would you need to add rw to the settings?

    mount -o rw,remount,noexec,nosuid,nodev /tmp
    and

    rw,nofail,nodev,nosuid,noexec for fstab settings?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.