The most common attack vector on Linux web servers, is to get something uploaded onto the server that can then be executed. Most of these automated attacks try to put their payload into /tmp, which is universally writable by any user, and then execute it.
But what if they couldn’t execute it?