Blog

03/06/2019

Linux Security: Mount /tmp With nodev, nosuid, and noexec Options



How do I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server? How can I add nodev, nosuid, and noexec options to /dev/shm under Linux operating systems?

Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables. Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.

Add nodev, nosuid, and noexec options to /tmp

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults        1 2

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp                    ext4    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Add nodev, nosuid, and noexec options to /dev/shm

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:

tmpfs                   /dev/shm                tmpfs   defaults        0 0

Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:

tmpfs                   /dev/shm                tmpfs   defaults,nodev,nosuid,noexec        0 0

Save and close the file.

A note about /var/tmp

Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file.

Set nodev, nosuid, and noexec options without rebooting the Linux server

Type the following command as root user:

## Bind /var/tmp to /tmp
 mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/

## Remount /tmp
 mount -o remount,noexec,nosuid,nodev /tmp

## Remount /dev/shm
 mount -o remount,noexec,nosuid,nodev /dev/shm

Verify new settings:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'

Sample outputs:

Fig.01: mount command output

How do I mount /tmp as a filesystem?

You can mount $jail/tmp as a separate filesystem using a file called /images/tmpfile.bin with the noexec,nosuid, nodev options under Linux like operating systems.

See also

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...