Document Type | Troubleshooting
Category | Administration
Applicable Product Versions | 5SP1FS01, 5SP1FS02, 5SP1FS03, 5SP1FS04, 5SP1FS06, 6FS01, 6FS02, 6FS03, 6FS04, 6FS05, 6FS06, 6FS07, 6FS07PS, 7FS01, 7FS02, 7FS02PS
Document Number | TADTS019
Issue
When the /tmp directory on a Linux system has 777 permissions and execution is allowed, security threats such as malicious scripts or executables being easily stored and run can occur, as described below.
- Execution of malware
- Privilege escalation (SUID)
- Access to device files (e.g., device files)
Note777 permissions: All users have read/write/execute access/tmp: Standard path where the system/user/application stores temporary files
Cause
On Linux systems, the /tmp directory is by default set with 777 permissions, creating a security vulnerability.
Solutions
Security can be enhanced by setting secure mount options on /tmp.
It is recommended to set the noexec, nosuid, and nodev options to block execution, privilege escalation, and device access, and to link /var/tmp to /tmp to apply unified security settings.
Secure Mount Options
- nodev: Disable device files (e.g., block access to /dev/null)
- nosuid: Disable SUID (privilege escalation) functionality
- noexec: Block direct execution of executable files (e.g., cannot run ./file)
How to Apply
Case 1. When /tmp is a separate partition
- Add the following line to /etc/fstab.
UUID=<tmp disk UUID> /tmp ext4 defaults,nodev,nosuid,noexec 0 0
- Set a symbolic link from /var/tmp to /tmp.
ln -s /tmp /var/tmp
- Reboot or run the
mount -acommand.
Case 2. When /tmp is not a separate partition (virtual disk configuration)
- Create and format a temporary disk file.
dd if=/dev/zero of=/var/tmpmount bs=1 count=0 seek=1G
mkfs.ext4 /var/tmpmount- Add the following line to /etc/fstab.
/var/tmpmount /tmp ext4 defaults,nodev,nosuid,noexec 0 0
- Mount and set permissions.
mount -o defaults,nodev,nosuid,noexec /var/tmpmount /tmp
chmod 0777 /tmp
- Set a symbolic link from /var/tmp to /tmp.
ln -s /tmp /var/tmp
Note