This tip, only works with GNU/Linux systems, since –bind mount option is a Linux specific.
Is welldocumented to put specifics perms on a physical partition like /tmp, /var, /home usually noatime,noexec,nosuid etc, but, what’s wrong if you only have one simple partition as / for all the system and you need to put specifics mount perms on those directories? It is possible?
Yes, it’s possible using –bind option from mount tool.
We have all in a simple root / partition
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 66540312 46161552 16998684 74% /
udev 1037812 2616 1035196 1% /dev
none 1037812 0 1037812 0% /dev/shm
# Mounting and remouting the partition using noexec on /tmp (it is not a partition, it’s a simple dir called tmp)
mount –bind /tmp /tmp
mount -o remount,noexec /tmp
# Now, if we want to execute any executable on /tmp dir, we will have an error.
$ cd /tmp; cp /bin/ls .; ./ls
-bash: ./ls: Permission denied
$ mount | grep ‘^\/tmp’
/tmp on /tmp type none (rw,noexec,bind)
As you can see, we have ‘Permission deniend’ since the /tmp has noexec option using bind mount facility. It is useful to avoid script kiddies or stupid scripts that uses /tmp as a base because it has write-world perms.
On the other hand, it is an example, now you can use your needs or your imagination to use /home or any dir with nosuid, noexec, nodev, noatime or to use quotes! (any mount option would work).