Profile Applicability:
 • Level 1

Description:
 The nosuid mount option prevents the operation of set-user-identifier or set-group-identifier bits on executable files in the mounted filesystem. Applying this option to /tmp prevents privilege escalation by disallowing setuid and setgid programs from running there.

Rationale:
 Setting the nosuid option on /tmp reduces the risk that an attacker could gain elevated privileges by executing setuid or setgid binaries from this temporary directory.

Impact:
 Pros:

  • Helps mitigate privilege escalation attacks via setuid/setgid binaries in /tmp.

  • Increases overall system security.

Cons:

  • May break applications that rely on setuid/setgid binaries in /tmp (uncommon).

Default Value:
 By default, the nosuid option is often not set on /tmp unless explicitly configured.

Pre-requisites:

  • Root or sudo privileges to modify /etc/fstab and remount filesystems.

  • /tmp must be mounted as a separate partition.

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount options for /tmp:

     mount | grep /tmp

  2. Verify if nosuid is set in /etc/fstab for /tmp:

    grep /tmp /etc/fstab
    Expected output: Mount options for /tmp include nosuid.



Implementation Plan:

Using Linux command line:

  1. Edit /etc/fstab to include nosuid in the mount options for /tmp. For example:
    /dev/<partition>  /tmp  ext4  defaults,nodev,nosuid,noexec  0  0

  2. Remount /tmp with the new options:

     mount -o remount,nosuid /tmp

  3. Verify the mount options:

     mount | grep /tmp


Backout Plan:

Using Linux command line:

  1. Remove nosuid from /tmp mount options in /etc/fstab.

  2. Remount /tmp without nosuid:

     mount -o remount /tmp


  3. Verify the mount options:

     mount | grep /tmp

References: