mount: Disabling execution of scripts

One of the common ways of securing your system is by making the /tmp filesystem unable to run executables. This prevents users from executing scripts in /tmp which is generally writable by everyone.

You can restrict this with the mount option noexec.

Here is an example:

[[email protected] playground]# mount | grep play  
/dev/mapper/vgfirst-lv_test1 on /var/tmp/playground type ext3 (rw)  
[[email protected] playground]# ./helloworld.sh   
Hello World  
[[email protected] playground]# mount -o remount,noexec /dev/mapper/vgfirst-lv_test1 /var/tmp/playground  
[[email protected] playground]# mount | grep play  
/dev/mapper/vgfirst-lv_test1 on /var/tmp/playground type ext3 (rw,noexec)  
[[email protected] playground]# ./helloworld.sh   
-bash: ./helloworld.sh: Permission denied  
Avatar
Benjamin Cane
Principal Engineer, Vice President

Benjamin Cane is Principal Engineer at American Express. He has more than 16 years of experience with roles in both systems and software engineering. He leverages both his systems and software skills to build end-to-end platforms. Platforms, purpose built for performance and resiliency. Benjamin is also the author of Red Hat Enterprise Linux - Troubleshooting Guide (2015, Packt Publishing), and he has published many popular articles on topics such as Linux, Docker, Python, Go and Performance Tuning. Thoughts and Opinions expressed in my articles are my own.

Next
Previous

Related