обзор иерархии файловой системы (File system hierarchy overview)
UNPRIVILEGED WRITE ACCESS
Unprivileged processes generally lack write access to most of the
hierarchy.
The exceptions for normal users are /tmp/, /var/tmp/, /dev/shm/,
as well as the home directory $HOME (usually found below /home/)
and the runtime directory $XDG_RUNTIME_DIR (found below
/run/user/) of the user, which are all writable.
For unprivileged system processes, only /tmp/, /var/tmp/ and
/dev/shm/ are writable. If an unprivileged system process needs a
private writable directory in /var/ or /run/, it is recommended
to either create it before dropping privileges in the daemon
code, to create it via tmpfiles.d(5) fragments during boot, or
via the StateDirectory= and RuntimeDirectory= directives of
service units (see systemd.unit(5) for details).
/tmp/, /var/tmp/ and /dev/shm/ should be mounted nosuid and
nodev, which means that set-user-id mode and character or block
special devices are not interpreted on those file systems. In
general it is not possible to mount them noexec, because various
programs use those directories for dynamically generated or
optimized code, and with that flag those use cases would break.
Using this flag is OK on special-purpose installations or systems
where all software that may be installed is known and doesn't
require such functionality. See the discussion of
nosuid/nodev/noexec in mount(8) and PROT_EXEC in mmap(2).
