What mount options control
mount options tune how a filesystem is attached: read-only vs read-write,
security restrictions, access-time behaviour and filesystem-specific tuning.
They are supplied after -o on the command line or in the fourth field of an
/etc/fstab entry. Some are generic and work on any VFS filesystem; others
are specific to ext4, tmpfs or bind mounts. This reference groups them by
scope.
How options are specified
Options are a comma-separated list. The kernel applies generic VFS flags first, then hands filesystem-specific options to the driver:
# command line
mount -o ro,noexec,nosuid,nodev /dev/sdb1 /mnt/usb
# /etc/fstab (device mountpoint fstype options dump pass)
tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,size=2g,mode=1777 0 0
/data /srv none bind,ro 0 0
defaults is shorthand for rw,suid,dev,exec,auto,nouser,async. You override
individual flags by listing their negation afterward, e.g. defaults,noexec.
Generic VFS options — what each one does
These options work across all filesystem types because they are enforced at the Virtual File System layer before the driver sees the request:
| Option | Effect |
|---|---|
ro | Read-only. Writes are rejected at the VFS layer. |
rw | Read-write (default). |
noexec | Prevents executing binaries from the mount. Processes can still read them. |
nosuid | Ignores setuid and setgid bits. Limits privilege escalation. |
nodev | Ignores device special files (block and character devices). |
noatime | Never updates the access time on file reads. Maximum performance. |
relatime | Updates access time only if older than modification/change time, or older than 24 hours. Modern default balancing performance and compatibility. |
nodiratime | Disables access-time updates for directories only, leaving file atime alone. |
sync | Writes are flushed to disk immediately, not buffered. Slower but safer for critical data. |
ext4-specific options worth knowing
data=ordered (the default) guarantees metadata is only written after data is
flushed, preventing corruption on crash. data=writeback is faster but can
expose stale data in a file after an unclean shutdown. Use errors=remount-ro
on important volumes so a filesystem error triggers an automatic switch to
read-only rather than allowing potential corruption.
tmpfs sizing and permissions
tmpfs lives in memory and grows on demand up to the size limit:
tmpfs /run tmpfs rw,nosuid,nodev,size=100m,mode=755 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,size=2g,mode=1777 0 0
Without size=, tmpfs defaults to half of physical RAM — large enough to cause
problems on memory-constrained systems. Always set an explicit limit. Also set
mode=1777 for /tmp to get the sticky bit that prevents one user’s files from
being deleted by another.
bind mounts explained
A bind mount re-exposes an existing directory at a second path without copying data — the same inodes appear in two places simultaneously:
mount --bind /opt/app/static /var/www/html/static
# or in fstab:
/opt/app/static /var/www/html/static none bind,ro 0 0
Use ro to expose a writable source directory as read-only at the bound
location. Use rbind instead of bind to carry along any submounts that exist
inside the source directory.
A practical hardening checklist
For any removable media or untrusted filesystem (USB drives, NFS mounts for untrusted sources, container scratch volumes):
mount -o ro,noexec,nosuid,nodev /dev/sdX1 /mnt/external
This three-option combination blocks: running binaries from the volume, privilege escalation via setuid, and access to device files — three of the most common attack vectors from a malicious USB drive or network share.