Mount the /tmp partition with ‘noexec’ and ‘nosuid’ options

On Linux servers (especially web servers) it is recommended to create /tmp as separate partition and mount it with ‘noexec’ and ‘nosuid’ options. ‘noexec’ disables the executable file attribute within an entire filesystem, effectively preventing any files within that filesystem from being executed. ‘nosuid’ disables the SUID file-attribute within an entire filesystem. This prevents SUID attacks on the /tmp filesystem.

WARNING: Various services such as MySQL, Postgres, Plesk and Zend use /tmp as temporary storage. You must STOP these services before carrying out the procedure below. Failing to disable these services may cause major InnoDB database corruption.

1. Stop all services including Plesk, MySQL, Apache, Postgres, SpamAssassin and any other service utilizing the /tmp file system.

2. Copy all of the files in /tmp to a holding directory:

# cp -Rp /tmp /tmp-backup Continue reading "Mount the /tmp partition with ‘noexec’ and ‘nosuid’ options"