ServerBuddies Support Blog

Using nodev, nosuid, and noexec Options to Temporary Storage Partitions

Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious executables.

Although mount options options cannot prevent interpreted code stored there from
getting executed by a program in another partition, using certain mount options can
be disruptive to malicious code.

Add nodev, nosuid, and noexec Options to /tmp
#Edit the file /etc/fstab. Add the text nodev,nosuid,noexec to the list of mount options in column 4.
#Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4

mount your /tmp partition with the noexec,nosuid options, and mount the /home partition with the nosuid option.

t install time, the easiest thing to do is to mount your /tmp partition with the noexec,nosuid options, and mount the /home partition with the nosuid option. This is done in your /etc/fstab and requires those paths to exist as partitions, and not just as subdirectories of /. If you’re unsure, type:

To get a listing of your partitions and their current mounting options. Use google for more information on these mounting options. Be very careful when editing your /etc/fstab, as any errors could prevent your system from starting up. Note that you must not have “nosuid,noexec” for / or /usr, as those partitions have suid binaries normally (su, passwd, etc).

Edit the fstab file vi /etc/fstab and change it depending on your needs. For example:

To read:

nosuid, Meaning do not allow set-user-identifier or set-group-identifier bits to take effect, nodev, do not interpret character or block special devices on this file system partition, noexec, do not allow execution of any binaries on the mounted file system.