Make /home /tmp noexec nodev without a separate patition

I need to change some mount options for parts of the root filesystem, such as /tmp /var and /home (add nodev,nosuid and quota), but I haven't ability to make a separate partition and I have not enough RAM to mount /tmp as tmpfs. I've tried mount -o bind,noexec,nodev,nosuid /tmp /tmp, but it seems not working because after that I still can exec files from /tmp and make device nods on it. Is there other way to do that?


Solution 1:

You can remount /tmp with bind and noexec,nodev,nosuid options but not in one step. Due to some linux kernel VFS layer limitations you have to first bind-mount it and then remount with proper options.

root@utemp:/# /tmp/test.sh 
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# mount -o bind,noexec /tmp /tmp
root@utemp:/# ./tmp/test.sh 
uid=0(root) gid=0(root) groups=0(root)
root@utemp:/# umount /tmp
root@utemp:/# mount -o bind /tmp /tmp
root@utemp:/# mount -o remount,noexec /tmp
root@utemp:/# ./tmp/test.sh 
bash: ./tmp/test.sh: Permission denied
root@utemp:/# umount /tmp

It's inconvenient -- instead of one line in /etc/fstab you have to call some script with two mount commands per directory during system boot.

More information in this LWN article. In older kernel it wouldn't work -- bind mount point has always the same mount options as underlying filesystem.