But why do you think this change doesn't impact the security of your server?
First of all, please understand, I express my own point of view based on my experience and knowledges. And I might be wrong in some aspects.
Secondly, I believe that /tmp directory is commonly used in malware as it presents almost on all servers and is world writable. While malware usually does not use ENV, or SERVER vars to find 'upload_tmp_dir', they directly try "/tmp" or other common paths. The new temp directory is owned by webapps:webapps
Code:
[root@server www]# ls -ld /var/www/tmp
drwxrwx--- 2 webapps webapps 4096 Dec 27 11:19 /var/www/tmp
So the other scripts and sites can not write into it.
And I hardly can recall any issue with roundcube/phpmyadmin/squirrelmail when a hacker hacked a server through the webapps. I see constantly high number of hacks done through WP, Joomla, etc sites.
Thirdly, as you already mentioned we won't stop a hacker from exploiting a server with only noexec,nosuid mount options on /tmp:
Code:
# perl /tmp/perl.pl
# sh /tmp/malware.sh
and etc work fine.
But I still do recommend to secure /tmp with noexec,nosuid. This gives a protections from bots, and scriptkiddies.
So, to make a conclusion. Bots and scriptkiddies with scripted attacks rely on the defaults in order to function. They try to write and execute scripts from /tmp, /var/tmp, they in most cases do not check values of ENV and SERVER vars to find a location of 'upload_tmp_dir'. Thus mounting /tmp with noexec is almost the same as to move temp dir to another location. The both should give the same effect.