Remember to set the sticky bit as well as nodev, noexec and nosuid for /tmp. Here is a line in fstab and the meaning of these 3 taken from the mount man page:

nodev Do not interpret character or block special devices on

the file system.

noexec Do not allow execution of any binaries on the mounted

file system. This option might be useful for a server

that has file systems containing binaries for architec-

tures other than its own.

nosuid Do not allow set-user-identifier or set-group-identifier

bits to take effect. (This seems safe, but is in fact

rather unsafe if you have suidperl(1) installed.)

Sticky bit def taken from Oracle:

If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This special permission prevents a user from deleting other users’ files from public directories such as /tmp

Fstab entry:

tmpfs /tmp tmpfs defaults,noatime,noexec,nosuid,nodev, size=512M,mode=1777 0 0

If you need and like your temp files then do not do this!

Categories: Uncategorized