Can I safely add noexec to /tmp?

Usually yes, but some package managers and installers run scripts from /tmp during upgrades. Test on a staging host first, and temporarily remount with 'mount -o remount,exec /tmp' if an install fails.

Which SUID binaries are safe to keep?

Keep su, sudo, passwd, mount/umount, and ping if you rely on them. Remove the SUID bit from rarely used tools after confirming nothing breaks, and prefer file capabilities over SUID where possible.

Do mount options replace SELinux or AppArmor?

No. Mount options are a coarse layer. Combine them with mandatory access control for proper confinement.

Filesystem & Mount Hardening on Linux

Mount options and filesystem permissions are the cheapest, highest-leverage controls on a Linux host. A single nosuid flag can neutralize an entire class of privilege-escalation exploits, and a five-minute SUID audit often surfaces forgotten binaries that no longer need their special bit. This article walks through hardened /etc/fstab options, securing /tmp and /dev/shm, auditing SUID/SGID and world-writable files, and tightening permissions on sensitive system files.

Hardened mount options in /etc/fstab

Three options matter most for non-root, non-system partitions:

nodev — ignore device files on the filesystem (an attacker can't smuggle a /dev/sda node onto /tmp).
nosuid — ignore the SUID/SGID bits, so dropped SUID binaries can't escalate.
noexec — refuse to execute binaries from the mount.

If /tmp, /var/tmp, /home, and /var are already separate partitions, edit /etc/fstab:

UUID=xxxx-tmp     /tmp      ext4  defaults,nodev,nosuid,noexec   0 2
UUID=xxxx-vartmp  /var/tmp  ext4  defaults,nodev,nosuid,noexec   0 2
UUID=xxxx-home    /home     ext4  defaults,nodev,nosuid          0 2
UUID=xxxx-var     /var      ext4  defaults,nodev                 0 2

Note the caveat on /home: noexec there breaks user-installed tooling, language toolchains, and some IDEs, so most teams stop at nodev,nosuid. Apply changes without rebooting:

mount -o remount /tmp
mount -o remount /var/tmp
findmnt /tmp        # confirm the options are active

When partitions are not separate, you have two options. Use a tmpfs for /tmp via systemd's tmp.mount, or create a bind mount:

systemctl enable tmp.mount      # ships with systemd, mounts tmpfs on /tmp
# or a self-contained bind mount in /etc/fstab:
/var/secure-tmp  /var/secure-tmp  none  bind,nodev,nosuid,noexec  0 0

Securing /tmp and /dev/shm

/dev/shm is shared memory and a classic staging ground for fileless malware. It is almost always safe to harden:

tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0

mount -o remount /dev/shm
findmnt /dev/shm

For /tmp on tmpfs, you can also cap its size to resist exhaustion attacks: add size=2G to the options. Combine these mount controls with kernel-level protections described in our kernel hardening guide.

Auditing SUID and SGID binaries

SUID/SGID binaries run with the owner's privileges. Each one is attack surface. Enumerate them:

find / -xdev \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null -exec ls -la {} \;

Compare the list against a known-good baseline. Tools you typically keep: sudo, su, passwd, mount, umount, newgrp, ping. Candidates to strip after testing: wall, chsh, chfn, pkexec (CVE-2021-4034 territory), and any third-party binary. Remove the bit:

chmod u-s /usr/bin/somelegacytool    # remove SUID
chmod g-s /usr/bin/someothertool     # remove SGID

Where a tool only needs one capability (e.g. ping needs CAP_NET_RAW), prefer file capabilities over a full SUID bit. SUID auditing pairs naturally with account and privilege hardening.

World-writable and unowned files

World-writable directories without the sticky bit let any user delete or replace others' files. Find them:

find / -xdev -type d -perm -0002 ! -perm -1000 2>/dev/null
find / -xdev -type f -perm -0002 2>/dev/null

Fix directories by restoring the sticky bit (or tightening the mode):

chmod +t /path/to/shared/dir
chmod o-w /path/to/file

Files owned by no valid user or group often signal a deleted account or an unpacked tarball from an attacker. Locate and reassign them:

find / -xdev \( -nouser -o -nogroup \) 2>/dev/null
chown root:root /path/to/orphan

Tightening sensitive file permissions

Credential and boot files should not be world-readable:

chmod 0640 /etc/shadow      # 0600 on some distros; match your policy
chmod 0640 /etc/gshadow
chmod 0644 /etc/passwd
chmod 0644 /etc/group
chmod 0600 /boot/grub/grub.cfg
chmod -R go-rwx /etc/cron.d /etc/cron.daily /etc/crontab

Set a restrictive default in /etc/login.defs and shell profiles so new files aren't group/other readable:

UMASK 027

A 027 umask yields 640 files and 750 directories — a sane server default. Enforcing MAC policy on these paths adds defense in depth; see mandatory access control.

Verify

Re-run the audit after changes and capture a baseline:

findmnt --noheadings -o TARGET,OPTIONS | grep -E '/tmp|/var/tmp|/dev/shm'
find / -xdev \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null | sort > /root/suid-baseline.txt
find / -xdev -type d -perm -0002 ! -perm -1000 2>/dev/null
stat -c '%a %n' /etc/shadow /etc/gshadow

Mount and permission hardening is static — it catches yesterday's drift, not tomorrow's tampering. The natural follow-up is continuous file integrity monitoring, so any change to a SUID binary or /etc/shadow raises an alert. Continue with our intrusion detection and file integrity guide.