Mounting /tmp with noexec

I recently found the suggestion to increase security by mounting /tmp with noexec. This is on tumbleweed with btrfs on /. I tried " /dev/tmp /tmp tmpfs defaults,noexec 0 0" in /etc/fstab but obviously my grasp of filesystems is too sketchy since that doesn’t work. Anybody here with ideas about this?

Please always use the Preformatted text for computer tekst. Now difficult to interpret.

I have a tmpfs file system for /tmp configured

henk@boven:~> grep tmp /etc/fstab
tmpfs     /tmp            tmpfs  size=25%,uid=root,gid=root,mode=1777  0  0
henk@boven:~>

Compared with what you tried I assume you invent a device /dev/tmp that in reality does not exist.

I guess you can adapt the options to your liking starting from this.

====
And yes, please do not use terms like “it does not work”. Explain, better show, what you see and what is not to your expectations

@wodenhof Hi, since it’s a systemd service, perhaps a review here on how it works these days may help clarify? https://systemd.io/TEMPORARY_DIRECTORIES/

1 Like

Maybe I do assume too much, but I assume that you do a boot after changing things.

Sorry for omitting the formatting, I will try to remember that in the future.

I wrote that it did not work because at that time I had several issues with the system which kicked me into an administrator shell and I wasn’t able to disentangle problems and causes. I deleted that line in /etc/fstab but don’t remember what else changed, sorry. But thanks for your example, that was what I was looking for.

Thanks also for the link to systemd-tmp but where do I find the syntax hcvv used for the /etc/fstab?

And now I will reboot ;-).

You may also have a look to this unit

linux: # systemctl cat tmp.mount
# /usr/lib/systemd/system/tmp.mount
#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Temporary Directory /tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m

Works, thanks:

me@ryzen:~> systemctl cat tmp.mount

/run/systemd/generator/tmp.mount

Automatically generated by systemd-fstab-generator

[Unit]
Documentation=man:fstab(5) man:systemd-fstab-generator(8)
SourcePath=/etc/fstab
Before=local-fs.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=size=25%%,uid=root,gid=root,mode=1777,noexec

me@ryzen:~> df -h /tmp
Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf
tmpfs 7,9G 36K 7,9G 1% /tmp
me@ryzen:~>

Problem solved, thanks to all of you.

From man systemd.mount:

FSTAB
Mount units may either be configured via unit files, or via /etc/fstab (see fstab(5) for details). Mounts listed in /etc/fstab will be converted into native units dynamically at boot and when the configuration of the system manager is reloaded. In general, configuring mount points through /etc/fstab is the preferred approach. See systemd-fstab-generator(8) for details about the conversion.

The “bold” is mine.

Thus I prefer the simple one line fstab approach.

That is what I did, too. Here is the line in my /etc/fstab:

tmpfs /tmp tmpfs size=25%,uid=root,gid=root,mode=1777,noexec 0 0

On my system there is no entry for /tmp in /etc/fstab so the tumbleweed default values for tmp.mount are used. When you add an entry for /tmp or something else to /etc/fstab systemd generates a unit file on the fly with the values from /etc/fstab. My post was only intended as a supplement to @malcolmlewis post.

1 Like

Looks fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.