Mount /tmp as Non Executable

Mounting /tmp as non executable improves security and increases awareness

For security reasons I mount my /tmp directory as non executable. Since I use the zfs file system, I accomplish this by turning off the exec property:

/sbin/zfs get exec tank/tmp/root

NAME           PROPERTY  VALUE  SOURCE
tank/tmp/root  exec      off    local

It is easy to search online how to accomplish the same for other file systems. I highly recommend mounting /tmp as none executable. The affect of doing so is simply that if an executable file is invoked from within /tmp or any of its subdirectories, a permission denied error will be raised no matter what the effective user or group is. As you can imagine, this causes problems from time to time. For example, in emacs I have set temporary-file-directory to ~/.emacs.d.tmp since it is /tmp/ by default. I discovered this when I was not able to use tramp to execute org-babel exported code with sudo. There have been countless other hiccups that I have run into, which is why I have created this short blog post. Now when I encounter execution failure in /tmp I can link to this post whenever I have to do something strange to get around the issue.

Another benefit is that when a process fails due to not being able to execute in /tmp I learn about what that process was trying to execute in and why. In this way it increases my awareness of my local ecosystem. It is enlightening.