InformationThe /tmp directory is a world-writable directory used for temporary storage by all users and some applications.
Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition.
Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily.
SolutionCreate or update an entry for /tmp in either /etc/fstab OR in a systemd tmp.mount file:
If /etc/fstab is used: configure /etc/fstab as appropriate.
tmpfs/tmptmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
Run the following command to remount /tmp
# mount -o remount,noexec,nodev,nosuid /tmp
OR if systemd tmp.mount file is used: run the following command to create the file /etc/systemd/system/tmp.mount if it doesn't exist:
# [ ! -f /etc/systemd/system/tmp.mount ] && cp -v /usr/lib/systemd/system/tmp.mount /etc/systemd/system/
Edit the file /etc/systemd/system/tmp.mount:
Run the following command to reload the systemd daemon:
# systemctl daemon-reload
Run the following command to unmask and start tmp.mount:
# systemctl --now unmask tmp.mount