Home / server / Questions / 359530
Accepted
gordon-quad
Asked: 2012-02-14 03:35:57 +0800 CST

Make /home /tmp noexec nodev without a separate patition

  • 772

I need to change some mount options for parts of the root filesystem, such as /tmp /var and /home (add nodev,nosuid and quota), but I haven't ability to make a separate partition and I have not enough RAM to mount /tmp as tmpfs. I've tried mount -o bind,noexec,nodev,nosuid /tmp /tmp, but it seems not working because after that I still can exec files from /tmp and make device nods on it. Is there other way to do that?

linux mount security quota

1 Answers

  1. Best Answer

    You can remount /tmp with bind and noexec,nodev,nosuid options but not in one step. Due to some linux kernel VFS layer limitations you have to first bind-mount it and then remount with proper options.

    root@utemp:/# /tmp/test.sh 
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# mount -o bind,noexec /tmp /tmp
root@utemp:/# ./tmp/test.sh 
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# umount /tmp
root@utemp:/# mount -o bind /tmp /tmp
root@utemp:/# mount -o remount,noexec /tmp
root@utemp:/# ./tmp/test.sh 
bash: ./tmp/test.sh: Permission denied
root@utemp:/# umount /tmp

    It's inconvenient -- instead of one line in /etc/fstab you have to call some script with two mount commands per directory during system boot.

    More information in this LWN article. In older kernel it wouldn't work -- bind mount point has always the same mount options as underlying filesystem.

    • 11