Best way to mount /tmp in fstab?

What is the best way (options, those numbers on the end) to mount a /tmp partition in /etc/fstab in terms of security and speed on a desktop (laptop) computer (read: not server)?

I've heard about nosuid, nodev and noexec, but I have no idea what they do, how to use them or even if I should used them.

I'm using LVM btw.

Solution 1:

The default is just a directory in the root filesystem.

That's fine but I have a desktop, a ton of RAM and reboot very infrequently... Which is the perfect description of somebody who could be using RAM instead of SSD for caching temporary stuff... So mine is mounted as a tmpfs RAMdisk, defined in fstab as:

tmpfs    /tmp    tmpfs    defaults,noatime,mode=1777   0  0

If you power cycle lots, this obviously isn't going to be a good idea for you.

You asked on another —now deleted— answer what the two zeroes were on the end, that's handled by another answer but they basically mean the system doesn't care about what happens to this filesystem if things crash. It won't dump out or check it for errors on boot.

noatime is just there as a tiny performance thing. Nothing I know of needs to audit access times of /tmp so I don't bother storing them. There's nothing inherently dangerous about allowing SUID, exec or character devices in /tmp and some things might need them.

In terms of security, while anything can write into /tmp it doesn't mean anything can overwrite or even read existing files. If you have a go-rw permission file, other people won't be able to mess around with it. The various systems that write into /tmp already do things to make sure that they're not clashing over filenames (typically by appending the $USER variable to the filename).