4

Having a SSD - it is recommended to mount /tmp as tmpfs.

Examples:

The mounting options are different in each example - why???

The default Ubuntu 16 installation sets the mounting options for root (/) as (from /etc/mtab):

/dev/sda1 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0

Ergo all other options - as suggested in the examples/links - shouldn't be applied.
Some of the mounting options in the various examples on the web are:

defaults,noatime,mode=1777

or:

defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M

But:

  • Having noatime feels useless because that the data is stored in RAM which is fast anyway.
  • Why nosuid,nodev,noexec ?
    How do they know whether softwares are dependent on certain options or not?

I think it is best to stick with the default permissions that the installation applied, meaning:

rw,relatime,mode=1777,uid=0,gid=0

In order to ensure proper operation of various softwares:

  • The permissions are 1777 because that the default permissions for /tmp are also drwxrwxrwt (see stat -c "%a %n" /tmp).
  • The uid and gid are root because that /tmp has the same.

Is there something which I'm missing here?

Dor
  • 2,535
  • 2
    drwxrwxrwt is 1777, not 0776. It's admittedly a little confusing because ls fits 12 permission bits into 9 character positions. – Mark Plotnick Mar 18 '17 at 18:51
  • @MarkPlotnick True. The documentation for that isn't good. I've seen this source. Is there a difference between 1776 and 1777 ? – Dor Mar 19 '17 at 08:00
  • 1776 doesn't have x permission for other. That's not good for a public directory like /tmp - it would mean users who aren't root and aren't in group 0 cannot access any file in /tmp. – Mark Plotnick Mar 19 '17 at 10:12

2 Answers2

0

Before systemd, the standard way to activate tmpfs on /tmp was to activate it in /etc/default/tmpfs and set RAMTMP=yes (even if almost everyone was editing /etc/fstab). This way you can see what are the default options. On my Devuan Ascii the mounting options are:

$ mount -l | grep "/tmp"
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=3293980k)

size defaults to 20% physical memory + swap.

So I guess you could not go wrong using the same options in /etc/fstab.

0

it is recommended to mount /tmp as tmpfs

No.

You may mount a tmpfs device at /tmp if you don't care about losing the files on reboot (tmpfs is implemented in memory).

Ergo all other options - as suggested in the examples/links - shouldn't be applied.

Eh? You don't want these options? Or you think that the OS will ignore them? In the case of the former, choose the options you do want - they WILL be honoured / they are NOT inherited.

Having noatime feels useless

Yes, having atime or relatime has negligible cost here.

Why nosuid,nodev,noexec ?

Because these can be exploited in /tmp. However the use of the sticky bit also provides mitigation of (all?) attacks using these vectors.

rw,relatime,mode=1777,uid=0,gid=0

rw - well that's kinda useful for a temporary filesystem - but it is also the DEFAULT behaviour so you don't need to explicit state this.

relatime - up to you - but again its the default.

mode=1777,uid=0,gid=0 - if, at mount time, your /tmp is not owned by root and world writeable, with the group sticky bit set, then its probably too late to plug those holes.

symcbean
  • 5,540