Securing tmp

Is this still a recommended practice? … ition.html">

4 Replies

That link is slightly odd; create a 1Gb file and then mount that as /tmp. It'd work, but I wouldn't normally consider it best practice.

Making /tmp a ram based tmpfs has been semi-regular behaviour for a long time. Indeed, on Solaris it's always tmpfs.

Note, though "# ln -s /tmp /var/tmp " is BAD; /tmp and /var/tmp should be different. You could make /var/tmp a tmpfs filesystem if you really wanted.

Note: I recommend rebooted after making these types of changes /tmp and /var/tmp to ensure the machine comes up cleanly afterwards. That page tries to work around needing a reboot; I don't recommend that, at all!

The main thing to be careful of, making those directories "noexec" is if you have any procedures that create temporary scripts; they will break.

In summary, I'd never recommend that page to anyone who doesn't know what they're doing, and why. The concepts are good, the implementation is questionable, the consequences may not be as expected.

Using tmpfs for /tmp is fine for servers but I have to caution on doing it on desktops because some user space applications will want to store partially downloaded large files there until the entire thing has finished downloading. Others will use it for large pieces of files the user is working on before they are stored.

I have run into problems with /tmp running out of space on desktops even with a 1 GB tmpfs file system.

I should probably add that tmpfs on a linode may not be a good idea; memory is one of the things we're typically short of and you don't want to use it all up as a ramdisk :-)

I know this is an old thread, but as I'm spinning up a new Centos 8 VPS to migrate my stuff to I've had to harden my /tmp the same way I did on my other Centos 7 VPS

This method worked well :

The only charge I made was to make it a 1G file and then the fstab mount needs to include 'loop' like this :

/root/images/tmpfile.bin /tmp ext4 loop,rw,noexec,nosuid,nodev 0 0


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct