It is ok to put those directories on a noexec partition (i.e. Moodle will still run fine), but it'll buy you little additional security, with respect to executing PHP code.
PHP is an interpreted language, thus the PHP scripts are simply text files. They are not executed, they are read and interpreted by the PHP interpreter executable (be it the command line php executable or the web server module that runs as part of the web server executable). Thus, as long as you can read the files, you can "execute" (interpret) them.
What you can gain from using a noexec partition is raising the bar to execute binary code from that partition a bit. I.e., someone uploads a binary executable to your Moodle data or PHP temp directories, and then tries to run it (exploiting some existing security hole in Moodle). If the partition is noexec, the attacker won't be able to run the binary directly (using system(), or exec() or any of the other PHP functions to execute external files). This mitigates (but may not fully prevent) scalation attacks, where a remote security hole in a PHP application (Moodle in this case) can be used to launch a local attack on the server to get root (or any other privledged account that can be used to get root later).
Saludos.
Iñaki.
Security and privacy
Moodle Data on Partition with noexec?
This discussion has been locked so you can no longer reply to it.