Mount the /tmp partition with ‘noexec’ and ‘nosuid’ options

On Linux servers (especially web servers) it is recommended to create /tmp as separate partition and mount it with ‘noexec’ and ‘nosuid’ options. ‘noexec’ disables the executable file attribute within an entire filesystem, effectively preventing any files within that filesystem from being executed. ‘nosuid’ disables the SUID file-attribute within an entire filesystem. This prevents SUID attacks on the /tmp filesystem.

WARNING: Various services such as MySQL, Postgres, Plesk and Zend use /tmp as temporary storage. You must STOP these services before carrying out the procedure below. Failing to disable these services may cause major InnoDB database corruption.

1. Stop all services including Plesk, MySQL, Apache, Postgres, SpamAssassin and any other service utilizing the /tmp file system.

2. Copy all of the files in /tmp to a holding directory:

# cp -Rp /tmp /tmp-backup

3. If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add ‘noexec’ and ‘nosuid’ options for /tmp (see step 5). Then remount the partition:

# mount -o remount /tmp

If the tmp file is not a separate partition (check using ‘# df -h’) then you will need to follow steps 4 – 10 below. Else, skip to step 11.

4. If /tmp directory resides on / partition, it is better to create new partition for /tmp, for example with size 1 GB:

# cd /var
# dd if=/dev/zero of=tmpMnt bs=1024 count=1048576
# mkfs.ext3 -j /var/tmpMnt

5. Add the string into /etc/fstab:

# cp /etc/fstab /etc/fstab~
# echo “/var/tmpMnt /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0″ >> /etc/fstab

6. Mount new /tmp partition:

# mount -o loop,noexec,nosuid,rw /var/tmpMnt /tmp

7. /tmp should be chmod 0777:

# chmod 0777 /tmp

8. /tmp ownership should be root:root :

# chown root:root /tmp

9. Copy the old tmp files to the new tmp directory:

# cp -Rp /tmp-backup/* /tmp/
# rm -rf /tmp-backup

10. Remove and re-link old /var/tmp file:

# rm -rf /var/tmp/
# ln -s /tmp/ /var/tmp

11. Confirm that /tmp is mounted with  noexec and nosuid:

# mount

Look for: “/dev/sdaX on /tmp type ext3 (rw,noexec,nosuid)”

12. Restart the services you previously shut down.

NOTE: This article was updated on April 5th 2011 to include a more optimized process.