I need to change some mount options for parts of the root filesystem, such as /tmp /var and /home (add nodev,nosuid and quota), but I haven't ability to make a separate partition and I have not enough RAM to mount /tmp as tmpfs. I've tried mount -o bind,noexec,nodev,nosuid /tmp /tmp, but it seems not working because after that I still can exec files from /tmp and make device nods on it. Is there other way to do that?
Asked
Active
Viewed 5,849 times
1 Answers
11
You can remount /tmp with bind and noexec,nodev,nosuid options but not in one step. Due to some linux kernel VFS layer limitations you have to first bind-mount it and then remount with proper options.
root@utemp:/# /tmp/test.sh
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# mount -o bind,noexec /tmp /tmp
root@utemp:/# ./tmp/test.sh
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# umount /tmp
root@utemp:/# mount -o bind /tmp /tmp
root@utemp:/# mount -o remount,noexec /tmp
root@utemp:/# ./tmp/test.sh
bash: ./tmp/test.sh: Permission denied
root@utemp:/# umount /tmp
It's inconvenient -- instead of one line in /etc/fstab you have to call some script with two mount commands per directory during system boot.
More information in this LWN article. In older kernel it wouldn't work -- bind mount point has always the same mount options as underlying filesystem.
kupson
- 3,388
- 18
- 18
-
1Seems to be ok on a live system. – user3132194 Jul 12 '16 at 10:21