CME-503

nosuid on Non-Root Partitions

Harden OS/Kernel High Confidence

Description

Mounts partitions like /tmp, /var, /home with nosuid, preventing SUID/SGID binaries from taking effect, blocking a privilege escalation vector.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Cannot deploy SUID binaries to escalate privileges from these partitions

CWE Relationships

CWE-269

Verification

Check nosuid on non-root partitions

$ mount | grep '/tmp' | grep nosuid
# Expected: nosuid
Platform: linux
$ mount | grep '/home' | grep nosuid
# Expected: nosuid
Platform: linux
← CME-502: noexec on /tmp and /dev/shm CME-504: dm-verity (Verified Boot) →