10

What is the best way (options, those numbers on the end) to mount a /tmp partition in /etc/fstab in terms of security and speed on a desktop (laptop) computer (read: not server)?

I've heard about nosuid, nodev and noexec, but I have no idea what they do, how to use them or even if I should used them.

I'm using LVM btw.

Juraj Fiala
  • 487
  • 2
  • 5
  • 17

2 Answers2

8

The default is just a directory in the root filesystem.

That's fine but I have a desktop, a ton of RAM and reboot very infrequently... Which is the perfect description of somebody who could be using RAM instead of SSD for caching temporary stuff... So mine is mounted as a tmpfs RAMdisk, defined in fstab as:

tmpfs    /tmp    tmpfs    defaults,noatime,mode=1777   0  0

If you power cycle lots, this obviously isn't going to be a good idea for you.

You asked on another —now deleted— answer what the two zeroes were on the end, that's handled by another answer but they basically mean the system doesn't care about what happens to this filesystem if things crash. It won't dump out or check it for errors on boot.

noatime is just there as a tiny performance thing. Nothing I know of needs to audit access times of /tmp so I don't bother storing them. There's nothing inherently dangerous about allowing SUID, exec or character devices in /tmp and some things might need them.

In terms of security, while anything can write into /tmp it doesn't mean anything can overwrite or even read existing files. If you have a go-rw permission file, other people won't be able to mess around with it. The various systems that write into /tmp already do things to make sure that they're not clashing over filenames (typically by appending the $USER variable to the filename).

Community
  • 1
Oli
  • 293,335
  • in Ubuntu 14.04+ tmpreaper http://manpages.ubuntu.com/manpages/wily/man8/tmpreaper.8.html is used by default to clean up /tmp and uses atime to determine age so you would want to update the settings to use ctime if you want it to clean files over time. – DanJGer Sep 26 '16 at 20:28
1

I am not sure, but it looks like in modern Ubuntu versions, editing /etc/fstab doesn't work anymore for /tmp. Now it seems to be managed by systemd, so to edit its options you should edit the /etc/systemd/system/tmp.mount file. You could do that with sudo systemctl edit tmp.mount --full. Options are given in the Options line, like Options=mode=1777,relatime,nodev,nosuid,noexec.

madhead
  • 702
  • 3
  • 10
  • Well, I made that answer based on my expirience. Editing /etc/fstab didn't work for me on 20.04, but I found a mention of tmp.mount here. So, for me tmp.mount systemd unit was the right place, not the /etc/fstab. – madhead Feb 21 '22 at 01:05
  • One more link about tmp.mount: https://wiki.archlinux.org/title/tmpfs#Disable_automatic_mount. Although it's for Arch Wiki, it is still about systemd specifics. – madhead Feb 21 '22 at 01:08