Security Handbook/Mounting partitions

Article description::System administrators should consider available security related mount options in order to harden any devices that are connected to the system. == Mounting partitions == When mounting an ext2, ext3, ext4, or reiserfs partition, a few security related mount options can be applied in file. The options are:


 * : Ignores the SUID bit and makes it just like an ordinary file.
 * : Prevents execution of files from this mount point.
 * : Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, mounting the directory with   will stop the majority of exploits designed to be executed directly from temporary file systems.

For example, hardening the file may look something like the following:

Observe in the example that the mount point is set to read-only mode. This system has been designed to write nothing to until updates are being applied. When it is time for system updates, is remounted in read-write mode, updated, then returned to read-only. This small trick has the potential to keep a server more secure.

Some programs (like ) will not be able to work properly if has   and. Consider removing those options if they cause problems.