Linux mount Options Reference

Common Linux filesystem mount options with scope — generic, ext4, tmpfs, bind.

Reference for Linux mount command options covering generic VFS flags (ro, noexec, nosuid, noatime) and per-filesystem options for ext4, tmpfs and bind mounts, with fstab usage notes. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Where do mount options go?

On the command line they follow -o as a comma-separated list, e.g. mount -o ro,noexec,nosuid /dev/sdb1 /mnt. In /etc/fstab they occupy the fourth field of the entry. The same option names work in both places.

What mount options control

mount options tune how a filesystem is attached: read-only vs read-write, security restrictions, access-time behaviour and filesystem-specific tuning. They are supplied after -o on the command line or in the fourth field of an /etc/fstab entry. Some are generic and work on any VFS filesystem; others are specific to ext4, tmpfs or bind mounts. This reference groups them by scope.

How options are specified

Options are a comma-separated list. The kernel applies generic VFS flags first, then hands filesystem-specific options to the driver:

# command line
mount -o ro,noexec,nosuid,nodev /dev/sdb1 /mnt/usb

# /etc/fstab (device  mountpoint  fstype  options  dump  pass)
tmpfs   /tmp   tmpfs   rw,nosuid,nodev,noexec,size=2g,mode=1777   0  0
/data   /srv   none    bind,ro                                    0  0

defaults is shorthand for rw,suid,dev,exec,auto,nouser,async. You override individual flags by listing their negation afterward, e.g. defaults,noexec.

Generic VFS options — what each one does

These options work across all filesystem types because they are enforced at the Virtual File System layer before the driver sees the request:

OptionEffect
roRead-only. Writes are rejected at the VFS layer.
rwRead-write (default).
noexecPrevents executing binaries from the mount. Processes can still read them.
nosuidIgnores setuid and setgid bits. Limits privilege escalation.
nodevIgnores device special files (block and character devices).
noatimeNever updates the access time on file reads. Maximum performance.
relatimeUpdates access time only if older than modification/change time, or older than 24 hours. Modern default balancing performance and compatibility.
nodiratimeDisables access-time updates for directories only, leaving file atime alone.
syncWrites are flushed to disk immediately, not buffered. Slower but safer for critical data.

ext4-specific options worth knowing

data=ordered (the default) guarantees metadata is only written after data is flushed, preventing corruption on crash. data=writeback is faster but can expose stale data in a file after an unclean shutdown. Use errors=remount-ro on important volumes so a filesystem error triggers an automatic switch to read-only rather than allowing potential corruption.

tmpfs sizing and permissions

tmpfs lives in memory and grows on demand up to the size limit:

tmpfs  /run  tmpfs  rw,nosuid,nodev,size=100m,mode=755  0  0
tmpfs  /tmp  tmpfs  rw,nosuid,nodev,noexec,size=2g,mode=1777  0  0

Without size=, tmpfs defaults to half of physical RAM — large enough to cause problems on memory-constrained systems. Always set an explicit limit. Also set mode=1777 for /tmp to get the sticky bit that prevents one user’s files from being deleted by another.

bind mounts explained

A bind mount re-exposes an existing directory at a second path without copying data — the same inodes appear in two places simultaneously:

mount --bind /opt/app/static /var/www/html/static
# or in fstab:
/opt/app/static  /var/www/html/static  none  bind,ro  0  0

Use ro to expose a writable source directory as read-only at the bound location. Use rbind instead of bind to carry along any submounts that exist inside the source directory.

A practical hardening checklist

For any removable media or untrusted filesystem (USB drives, NFS mounts for untrusted sources, container scratch volumes):

mount -o ro,noexec,nosuid,nodev /dev/sdX1 /mnt/external

This three-option combination blocks: running binaries from the volume, privilege escalation via setuid, and access to device files — three of the most common attack vectors from a malicious USB drive or network share.