Debian

Configure /tmp on a Separate Partition or tmpfs on Linux

Josphat Mutai Updated Apr 11, 2026 · 5 min read

Putting /tmp on its own filesystem isolates temporary files from the root volume and lets you mount it with options the rest of the system shouldn’t have. The classic recipe uses a dedicated disk partition. The modern recipe uses a tmpfs (RAM-backed) mount managed by systemd. Both are valid, and each is the right choice in a different situation. This guide walks through both on Ubuntu 24.04 LTS (following an in-place upgrade from 22.04) and Debian 13.

Original content from computingforgeeks.com - post 2177

The operational benefits are the same either way: crashes, runaway processes, or hostile code dumping data into /tmp can never fill the root filesystem, the mount carries nosuid, nodev, and noexec so attackers can’t stage executables there, and the directory is cleared on every boot without you needing to write a cleanup script.

Verified: April 2026 on Ubuntu 24.04.4 LTS with kernel 6.8.0-101-generic using systemd’s tmp.mount unit

tmpfs stores everything under /tmp in RAM, falling back to swap if pressure forces it. It’s fast, it clears itself on every boot automatically, and there’s no disk partition to plan. The only cost is that files in /tmp now compete for RAM with everything else.

Ubuntu 24.04 does not enable tmp.mount by default. Check whether a unit exists:

findmnt /tmp
systemctl cat tmp.mount 2>&1 | head -5

On a stock 24.04 cloud image you’ll see that /tmp is not a separate mount and there’s no unit file yet:

No files found for tmp.mount.

Drop a unit file into /etc/systemd/system/tmp.mount and enable it. The unit below mirrors the one shipped on systems that do enable it by default, sized to use up to half the physical memory:

sudo vi /etc/systemd/system/tmp.mount

Paste in the full unit:

[Unit]
Description=Temporary Directory (/tmp)
Documentation=man:hier(7) man:tmpfs(5)
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m

[Install]
WantedBy=local-fs.target

Reload systemd and enable the mount. The unit activates immediately and persists across reboots:

sudo systemctl daemon-reload
sudo systemctl enable --now tmp.mount

Confirm the mount is active and check the options:

findmnt /tmp
df -hT /tmp

The output reports the filesystem type as tmpfs and the size is capped at half the machine’s RAM:

TARGET SOURCE FSTYPE OPTIONS
/tmp   tmpfs  tmpfs  rw,nosuid,nodev,size=1007612k,nr_inodes=1048576,inode64
Filesystem     Type   Size  Used Avail Use% Mounted on
tmpfs          tmpfs  984M     0  984M   0% /tmp

nosuid stops set-UID binaries from running with their owner’s privileges, nodev blocks device node creation, and size=50% caps the mount at half the physical RAM. On a 2 GB VM that’s about 984 MB, as shown above. The remaining half of RAM stays available for applications even if /tmp fills up.

When to use a real disk partition instead

tmpfs is the right default for almost every server. Pick a real partition instead when:

  • You run software that writes genuinely large temporary files (ImageMagick, FFmpeg, Spark local-dir, Hadoop scratch space). tmpfs sizes up to RAM so a 40 GB temp file is not going to fit.
  • RAM is precious on the host and you don’t want temp files competing with applications.
  • You need persistent /tmp across reboots (rare but not unheard of for some batch pipelines).

Approach 2: Use a dedicated disk partition

Create a partition (or LV) for /tmp, format it, and mount it with the hardening options. Assume /dev/sdb1 is the new partition of 5-10 GB:

sudo mkfs.ext4 -L tmp /dev/sdb1

Move the current contents of /tmp out of the way and mount the new partition:

sudo systemctl isolate rescue.target
sudo mv /tmp /tmp.old
sudo mkdir /tmp
sudo chmod 1777 /tmp
sudo mount -o defaults,nosuid,nodev,noexec /dev/sdb1 /tmp

The 1777 mode sets the sticky bit so users can only delete their own files in /tmp, even though the directory is world-writable. This is the same behaviour you want for a shared temporary area.

Make the mount persistent by adding it to /etc/fstab. Use the LABEL= syntax so the mount survives device renames:

LABEL=tmp  /tmp  ext4  defaults,nosuid,nodev,noexec  0  2

Reboot and confirm the mount comes back cleanly:

sudo reboot
# after reconnecting
findmnt /tmp
df -hT /tmp

A note on noexec

Adding noexec to /tmp is a common hardening move, but it breaks software that uses /tmp for genuine execution. The notable example is dnf and apt triggers that run scriptlets from scratch directories, and some Python virtualenv tools that build native extensions in temp directories. If package operations start failing after you enable noexec, take it off and leave just nosuid and nodev, which cover the most common privilege-escalation vectors without breaking package managers.

Cleaning up the old /tmp contents

If you moved the old /tmp to /tmp.old during the disk-partition flow, remember to delete it once you’ve confirmed the new mount is working:

sudo rm -rf /tmp.old

There’s nothing in /tmp that should survive a reboot anyway, so deleting it is safe. The systemd systemd-tmpfiles-clean.timer takes care of ongoing cleanup of old files per the rules in /usr/lib/tmpfiles.d/tmp.conf.

Verifying it works

The final check is to make sure nosuid is actually enforced. Drop a setuid binary into /tmp and try to run it:

cp /usr/bin/passwd /tmp/passwd-test
ls -la /tmp/passwd-test
/tmp/passwd-test --help

The binary copy keeps its setuid bit in the listing but /tmp‘s nosuid option means the kernel strips it at execution time. Running the copy no longer gains root privileges even though the mode bit is still there. Remove the test file when you’re done.

Wrap up

Separating /tmp from / is a 10-minute job that makes your server meaningfully more resilient to both accidental fill-ups and hostile exploit attempts. For more hardening see our Rocky Linux 10 post-install tips which pairs well with SELinux enforcing, our GRUB password guide for the boot-time side, and the systemctl reference for managing the new tmp.mount unit. If you’re planning a larger layout with /var, /home, and /srv on their own filesystems, consider BtrFS with subvolumes instead of classic partitions.

Josphat Mutai

Founder of Computingforgeeks. Senior Systems Engineer with over a decade of hands-on experience building and managing production infrastructure. Core expertise in Linux/UNIX administration, cloud platforms (AWS, GCP, Azure), and Kubernetes ecosystems (EKS, GKE, OpenShift). Deep experience with virtualization (KVM, Proxmox, OpenStack), infrastructure as code (Terraform, Terragrunt, Ansible, Crossplane), GitOps workflows (ArgoCD, FluxCD), Nix/NixOS, and container orchestration at scale. Currently focused on integrating AI and LLMs into DevOps and platform engineering workflows. Every guide on this site is tested on real systems before publishing.

Related Articles

Ubuntu Install Spark on Ubuntu (20.04, 22.04, 24.04) Security OpenSnitch – Best Application Firewall for Linux users Automation Setup Consul Cluster on Ubuntu 24.04 / Debian 13 Email What Is an Email Security Gateway and Why You Need One

Leave a Comment

Press ESC to close