If /tmp is on it's own partition, you could add the "noexec,nosuid,nodev" mount options in /etc/fstab. It won't make it impossible for a person to execute files (a clever person can get around it) but can prevent accidental execution.
For example:
Code:
sudo mv /tmp /oldtmp
sudo mkdir /tmp
sudo mount --bind /oldtmp /tmp
sudo mount /tmp -o remount,nosuid,noexec,nodev
> ./ls
bash: ./ls: Permission denied
> /lib64/ld-linux-x86-64.so.2 ./ls
./ls: error while loading shared libraries: ./ls: failed to map segment from shared object: Operation not permitted
Look at the mount manpage. It shows how a --bind mount fstab entry looks like.
On older versions of linux, /lib/ld-linux.so /tmp/<program>, would run the program. This hole has been plugged.
For debian distributions, installing packages requires files in /tmp to be executable. You need to modify the system to remount /tmp before install and again after.
---
/tmp should just be used for temporary files. Such as modifying a file, and needing to redirect to a temporary file, before replacing the original:
sed 's/john/mike' file >/tmp/tmpfile
mv /tmp/tmpfile file
You shouldn't be saving things there. Since you want to make /tmp more secure, delete all files in /tmp when you power down. Most disto's have a setting to do that. A malicious file will be removed then.