Bind mounting a directory to itself

Discussion in 'all things UNIX' started by Gullible Jones, Nov 29, 2012.

Thread Status:
Not open for further replies.
  1. It turns out you can bind mount a directory to itself. So you can do stuff like this:

    # mount --bind /tmp /tmp
    # mount -o remount,nodev,nosuid,noexec /tmp
    and have /tmp, /var/tmp, etc. mounted with more secure options, even if they're not on separate partitions.

    This seems kind of nifty, but please don't assume it's problem free; there might be some really nasty caveats for all I know. I'm interested in what the local Linux buffs have to say about this...
  2. BrandiCandi

    BrandiCandi Guest

    Have you been running this for a while? What is your experience with it? Does it break stuff?
  3. With bind mounting? No, because I generally use fancy partition layouts. The bind mount thing is just in case that's not practical (e.g. on tiny hard drives).

    If you mean the nodev,nosuid,noexec mount flags... noexec will break dpkg if you put it on /var or /tmp under Debian (or Ubuntu), and may also make your login script not work if applied to /home. Furthermore its coverage is incomplete, since you can still do 'perl' or whatever.

    nodev and nosuid are safe in my experience though, provided you don't put them on /dev or anywhere with suid binaries respectively. This stuff probably doesn't offer all that much security, though; and naught against exploits that run as your user (unless you mount all user-writeable areas as noexec as well, which is often not possible and sometimes inconvenient).
  4. An addendum: most distros mount /dev/shm with full dev,suid permissions. So if you want to make all world-writable areas nodev,nosuid you have to remount /dev/shm too:

    mount -o remount,nodev,nosuid /dev/shm

    Edit: note that nodev is probably not necessary, since there are already limitations in place to keep limited users from creating arbitrary device nodes; OTOH it can't hurt, either. However, there is IMO no excuse whatsoever for not using the nosuid mount option, because tar -p preserves the setuid bit even when run as limited user!

    Edit 2: scratch that, GNU tar preserves setuid but never creates setuid root files when run as limited user. So in theory these measures should not really be necessary... I think.
    Last edited by a moderator: Jan 12, 2013
Thread Status:
Not open for further replies.