Temporary storage directories such as /tmp, /var/tmp and /dev/shm provide storage space for malicious executables. Crackers and hackers store executables in /tmp. Malicious users can use temporary storage directories to execute unwanted program and crack your server.
Add nodev, nosuid, and noexec options to /tmp
Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /tmp line:
UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp ext4 defaults 1 2
Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:
UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp ext4 defaults,nodev,nosuid,noexec 1 2
Save and close the file.
Add nodev, nosuid, and noexec options to /dev/shm
Edit the file /etc/fstab, enter:
# vi /etc/fstab
Locate the /dev/shm line:
tmpfs /dev/shm tmpfs defaults 0 0
Append the text ,nodev,nosuid,noexec to the list of mount options in column 4. In the end, your entry should look like as follows:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Save and close the file.
A note about /var/tmp
Make sure you bind /var/tmp to /tmp. Edit the file /etc/fstab, enter:
# vi /etc/fstab
Append the following line:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Save and close the file.
Set nodev, nosuid, and noexec options without rebooting the Linux server
Type the following command as root user:
## Bind /var/tmp to /tmp mount -o rw,noexec,nosuid,nodev,bind /tmp/ /var/tmp/ ## Remount /tmp mount -o remount,noexec,nosuid,nodev /tmp ## Remount /dev/shm mount -o remount,noexec,nosuid,nodev /dev/shm
