How to Secure the `/tmp` Directory in Debian 12 Bookworm

The /tmp directory is a temporary storage location in Linux systems where applications and users can store temporary files. However, since it is world-writable and frequently used, it can be a security risk if not properly secured. Attackers can exploit it to execute malicious scripts, create symbolic link attacks, or fill up disk space, causing system instability.

This guide will cover essential steps to secure the /tmp directory on a Debian 12 Bookworm system effectively.

1. Understanding the Importance of Securing /tmp

By default, /tmp is accessible to all users, meaning that malicious users or poorly designed applications can introduce security vulnerabilities. The main risks include:

• Race condition attacks – Attackers may manipulate temporary files to gain unauthorized access.
• Symlink attacks – Symbolic link manipulation can lead to privilege escalation.
• Executable code execution – Some applications may leave scripts in /tmp, which an attacker could modify.
• Disk space exhaustion – Unchecked usage of /tmp may lead to denial-of-service (DoS) attacks by filling up the filesystem.

Securing /tmp helps mitigate these threats and hardens your Debian 12 system against attacks.

2. Creating a Separate /tmp Partition

Step 1: Check If /tmp Is a Separate Partition

Run the following command to check if /tmp is already mounted as a separate partition:

mount | grep /tmp

If you see output showing /tmp mounted separately, you can skip this section. Otherwise, follow the steps below to create a dedicated /tmp partition.

Step 2: Backup Important Data

Before making changes, it’s always a good idea to back up your system using:

tar -czvf /root/tmp-backup.tar.gz /tmp

Step 3: Create a New Partition for /tmp

If you have free space on your disk, create a new partition using fdisk or parted. Alternatively, you can use a loopback file.

To create a loopback file for /tmp (e.g., 2GB in size):

sudo dd if=/dev/zero of=/var/tmp_tmp bs=1M count=2048
sudo chmod 600 /var/tmp_tmp
sudo mkfs.ext4 /var/tmp_tmp

Step 4: Mount the /tmp Partition Securely

Edit the /etc/fstab file to mount /tmp with security options. Add the following line:

/var/tmp_tmp  /tmp  ext4  defaults,nosuid,noexec,nodev  0  2

Mount the new /tmp partition:

sudo mount -a

3. Setting Proper Mount Options

Mount options enhance security by restricting how /tmp can be used:

• noexec – Prevents execution of scripts and binaries from /tmp.
• nosuid – Blocks the use of SetUID and SetGID binaries in /tmp.
• nodev – Prevents device files from being created in /tmp.
• noatime – Reduces unnecessary disk writes by preventing access time updates.

Verify the mount options:

mount | grep /tmp

4. Configuring SystemD for /tmp Security

Debian 12 uses systemd, which provides an additional method for securing /tmp.

Enable PrivateTmp for services:

echo 'SystemdPrivateTmp=true' >> /etc/systemd/system.conf

Reload systemd:

sudo systemctl daemon-reexec

5. Implementing Access Control

Restrict access to /tmp using:

chmod 1777 /tmp

The 1 in 1777 sets the sticky bit, ensuring users can only delete their own files.

6. Using tmpfs for /tmp

For performance improvements, you can mount /tmp as tmpfs (RAM-based filesystem):

echo 'tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0' >> /etc/fstab

Remount /tmp:

sudo mount -o remount /tmp

Conclusion

Securing the /tmp directory in Debian 12 Bookworm is crucial for system security. By implementing a separate partition, using secure mount options, enabling systemd protections, and configuring access controls, you can significantly reduce security risks. These measures will help protect against attacks and ensure system stability.