Remount /tmp with exec permission

Server Maintenance | Updated 2026

Some software installations and compilation tasks require execute permission on /tmp. On hardened cPanel servers, /tmp is mounted with noexec by default as a security measure. Here is how to temporarily remount it with exec permission and re-secure it afterward.

In This Guide
  1. Check Current Mount Options
  2. Remount with exec
  3. Remount with noexec (Re-secure)
  4. Why /tmp Is noexec by Default
  5. Alternatives to Remounting
Important: Re-secure When Done

Always remount /tmp back to noexec when you are finished. Leaving exec enabled on /tmp is a security risk - it allows attackers to execute uploaded scripts from the world-writable temp directory.

01. Check Current Mount Options

mount | grep /tmp

Look for noexec in the output. If present, /tmp does not allow script execution:

/dev/sda1 on /tmp type ext4 (rw,nosuid,noexec,nodev)

02. Remount with exec

mount -o remount,exec /tmp

Verify the change:

mount | grep /tmp
# Should now show: (rw,nosuid,nodev) without noexec
Root Required

These commands require root access. On shared hosting, contact your hosting provider. On VPS/dedicated servers, use sudo or log in as root.

03. Remount with noexec (Re-secure)

After your installation or compilation is complete, immediately re-secure /tmp:

mount -o remount,noexec /tmp

Verify:

mount | grep /tmp
# Should show: (rw,nosuid,noexec,nodev)

04. Why /tmp Is noexec by Default

/tmp is world-writable (anyone can write files to it). On a web server, this means:

  • A compromised PHP script can upload a malicious binary to /tmp
  • Without noexec, the attacker can then execute that binary
  • With noexec, the binary is written but cannot be executed - the attack is stopped

This is a standard hardening practice recommended by CIS benchmarks and cPanel's security advisor.

05. Alternatives to Remounting

If you need exec on /tmp frequently for cPanel updates or EasyApache builds, consider these alternatives:

  • Use a different temp directory - set TMPDIR=/root/tmp before running the installer. Many build tools respect this environment variable
  • cPanel's built-in handling - recent cPanel versions automatically handle noexec /tmp during updates by using /usr/local/cpanel/tmp/ instead
  • Script the process - wrap your task in a script that remounts, runs the task, and remounts back: 
    mount -o remount,exec /tmp
# run your task here
mount -o remount,noexec /tmp
CloudLinux CageFS

On CloudLinux servers with CageFS, each user has a virtualized /tmp that is already isolated. The noexec mount on the physical /tmp primarily protects against root-level exploits and system-level scripts.

Need Server Administration Help?

If you need assistance with server hardening or software installations, our team can help.

Open a Support Ticket

Quick Recap

  1. Check: mount | grep /tmp
  2. Enable exec: mount -o remount,exec /tmp
  3. Do your work (install, compile, etc.)
  4. Re-secure: mount -o remount,noexec /tmp
  5. Verify: mount | grep /tmp shows noexec

32,941 users found this article useful · Last updated March 2026 · Browse all Server Maintenance articles

  • 155 Users Found This Useful

Was this answer helpful?

Related Articles

Disable cPanel Brute Force Command Line

Server Maintenance | Updated 2026 cPHulk is cPanel's built-in brute force protection. It...

Repairing and Optimizing all MySQL and MariaDB Databases on the Server

Server Maintenance | Updated 2026 Regularly repairing and optimizing MySQL/MariaDB tables...

E Sysup: Needed system RPMs were not installed: yum-utils

Server Maintenance | Updated 2026 The error E Sysup: Needed system RPMs were not installed:...

error: db3 error(-) from dbenv->failchk: DB_RUNRECOVERY: Fatal error, run database recovery

Server Maintenance | Updated 2026 The error db3 error(-30974) from dbenv->failchk:...

Failed to lock proc mutex: Permission denied

Server Maintenance | Updated 2026 The "failed to lock proc mutex" error in Apache's error log...



Save 30% on web hosting - Use coupon code Hosting30