Increase Server Security - mount /tmp with nodev, nosuid, and noexec

LF-Chaudhuri

Managing Director
Staff member
#1
The folder/partition "/tmp" provides a world-writable space for temporary files.
For example, the web server has read access to things like the document root, as well as write access to /tmp, /var/tmp, and any other files/directories that are world-writable.
For the same reason, a hacker may get access to execute files from "/tmp" if the process is compromised.

noexec - It disables the execution of programs in the same filesystem. When we mount "/tmp" with the option, it prevents the user from executing programs under "/tmp".

suid (u+s) - When "suid" is set on a file, it executes as the user that owns the file, not the user that ran the file. It can further damage a compromised system where the user can run the program as the user who owns the file.

nosuid - It disables the "suid" option for the filesystem.

nodev - A system contains special devices like "/dev/zero", etc. The "nodev" option specifies that the filesystem cannot contain special devices. We do not want to grant permissions to "/tmp" for creating character devices or accessing random device hardware.

Run the following commands as root.

mount -o remount,noexec,nosuid,nodev /tmp
It will remount "/tmp" with the options noexec, nosuid, and nodev.

mount -o remount,noexec,nosuid,nodev /dev/shm
It will remount "/dev/shm" with the options noexec, nosuid, and nodev.

mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/
It will bind "/var/tmp" to "/tmp" with the options noexec, nosuid, and nodev.

Put the entries in the "/etc/fstab" file as shown in the snapshot to make the changes persistent across reboots.

fstab.PNG

Files in "/tmp" which have not been accessed, changed, or modified for ten days are deleted automatically. Another temporary directory exists, "/var/tmp", in which files that have not been accessed, changed, or modified for more than thirty days are deleted automatically. Here we have bound "var/tmp" to "/tmp" .

Note: If you want your VPS or dedicated server to have a dedicated "/tmp" partition, then please submit a ticket during the initial setup.

Thank you for reading. To provide feedback or to request a new tutorial please contact us.