Linux.com Article DB: A trivial but useful tip for helping thwart the script kiddie.

Have your users tmp directory set to ~/.tmp or related to help keep /tmp clean. This is just housecleaning. In /etc/profile, export TMP=~/.tmp Now make /tmp a separate partition. The mount flags for it should be similar to this list: "noexec,nosuid,nodev,
rw,auto,async"
It is also a good idea to enforce quotas on this partition the options used prevent execution of any files stored, prevent suid operation, no special files, i.e. The kind found in /dev, allows it to be readwrite, auto mounted on boot, and the default asynchronous write operations. Therefore no more /tmp/.sh which is a suid shell created by an exploit.

Originally Published: Friday, 28 January 2000	Author: Derrick H. Lewis
Published to: news_enhance_security/Security Tips	Page: 1/1 - [Printable]
A trivial but useful tip for helping thwart the script kiddie. Have your users tmp directory set to ~/.tmp or related to help keep /tmp clean. This is just housecleaning. In /etc/profile, export TMP=~/.tmp Now make /tmp a separate partition. The mount flags for it should be similar to this list: "noexec,nosuid,nodev, rw,auto,async" It is also a good idea to enforce quotas on this partition the options used prevent execution of any files stored, prevent suid operation, no special files, i.e. The kind found in /dev, allows it to be readwrite, auto mounted on boot, and the default asynchronous write operations. Therefore no more /tmp/.sh which is a suid shell created by an exploit.