Uncategorized

Best Way to Create /tmp with noexec on linux

- by jason

How do I mount /tmp as a separate filesystem (/root/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems?

Linux and Unix like operating system can mount system partitions with additional options. These options can cane enhances the security of your server. These options are set in the file /etc/fstab. You can use the following option to control malicious behavior or make it difficult for attackers to exploit your server:

  1. nodev – Do not interpret character or block special devices on the file system.
  2. noexec – Do not allow direct execution of any binaries on the mounted filesystem.
  3. nosuid – Do not allow set-user-identifier or set-group-identifier bits to take effect.

Commands

First, create a file called /root/images/tmpfile.bin as follows :
# dd if=/dev/zero of=/tmpfile bs=1 count=0 seek=10G

Format the file system using the mkfs.ext4 command:
# mkfs.ext4 /tmpfile
Sample outputs:

mke2fs 1.41.12 (17-May-2010)
/tmpfile is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
262144 inodes, 1048576 blocks
52428 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1073741824
32 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736
 
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Add nodev, nosuid, and noexec options and mount the file system at /tmp
# mount -o loop,rw,nodev,nosuid,noexec /tmpfile /tmp

Update /etc/fstab

Edit the file /etc/fstab, enter:
# vi /etc/fstab
Modify /tmp line as follows:

/tmpfile            /tmp         ext4     loop,rw,noexec,nosuid,nodev    0 0

Save and close the file.

Please test before reboot with follows with no error:

umount /tmp
mount -a

 

Related Posts

compare two directory trees with rsync

linux man ip command

CentOS7 Change repo end of life

About jason

View all posts by jason →