Putting mount permisions on directories


This tip, only works with GNU/Linux systems, since –bind mount option is a Linux specific.

Is welldocumented to put specifics perms on a physical partition like /tmp, /var, /home usually noatime,noexec,nosuid etc, but, what’s wrong if you only have one simple partition as / for all the system and you need to put specifics mount perms on those directories? It is possible?

Yes, it’s possible using –bind option from mount tool.

We have all in a simple root / partition

# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 66540312 46161552 16998684 74% /
udev 1037812 2616 1035196 1% /dev
none 1037812 0 1037812 0% /dev/shm

# Mounting and remouting the partition using noexec on /tmp (it is not a partition, it’s a simple dir called tmp)

mount –bind /tmp /tmp

mount -o remount,noexec /tmp

# Now, if we want to execute any executable on /tmp dir, we will have an error.

$ cd /tmp; cp /bin/ls .; ./ls

-bash: ./ls: Permission denied

$ mount | grep ‘^\/tmp’
/tmp on /tmp type none (rw,noexec,bind)

As you can see, we have ‘Permission deniend’ since the /tmp has noexec option using bind mount facility. It is useful to avoid script kiddies or stupid scripts that uses /tmp as a base because it has write-world perms.

On the other hand, it is an example, now you can use your needs or your imagination to use /home or any dir with nosuid, noexec, nodev, noatime or to use quotes! (any mount option would work).

See you!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s