/tmp With nodev, nosuid, and noexec OptionsTemporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables. Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted programs and compromise your server.
nodev, nosuid, and noexec options to /tmpEdit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:
UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp ext4 defaults 1 2
Append ,nodev,nosuid,noexec to the list of mount options in column 4. Your entry should look like as follows:
UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp ext4 defaults,nodev,nosuid,noexec 1 2
Save and close the file.
nodev, nosuid, and noexec options to /dev/shmEdit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:
tmpfs /dev/shm tmpfs defaults 0 0
Append ,nodev,nosuid,noexec to the list of mount options in column 4. Your entry should look like as follows:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Save and close the file.
/var/tmpMake sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Save and close the file.
nodev, nosuid, and noexec options without rebooting the Linux serverType the following commands as root user:
## Bind /var/tmp to /tmp
mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/
## Remount /tmp
mount -o remount,noexec,nosuid,nodev /tmp
## Remount /dev/shm
mount -o remount,noexec,nosuid,nodev /dev/shm
Verify new settings with:
# mount
# mount | less
# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'