Mount /tmp as Non Executable
Mounting /tmp as non executable improves security and increases awareness
For security reasons I mount my
/tmp directory as non executable. Since I use the zfs file system, I accomplish this by turning off the exec property:
/sbin/zfs get exec tank/tmp/root
NAME PROPERTY VALUE SOURCE tank/tmp/root exec off local
It is easy to search online how to accomplish the same for other file systems. I highly recommend mounting
/tmp as none executable. The affect of doing so is simply that if an executable file is invoked from within
/tmp or any of its subdirectories, a permission denied error will be raised no matter what the effective user or group is. As you can imagine, this causes problems from time to time. For example, in emacs I have set temporary-file-directory to
~/.emacs.d.tmp since it is
/tmp/ by default. I discovered this when I was not able to use tramp to execute org-babel exported code with
sudo. There have been countless other hiccups that I have run into, which is why I have created this short blog post. Now when I encounter execution failure in
/tmp I can link to this post whenever I have to do something strange to get around the issue.
Another benefit is that when a process fails due to not being able to execute in
/tmp I learn about what that process was trying to execute in and why. In this way it increases my awareness of my local ecosystem. It is enlightening.
Be the first to comment on this article.