Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Firewalls
Intrusion detection
Staying up-to-date

System administrators should consider available security related mount options in order to harden any devices that are connected to the system.

When mounting an ext2, ext3, ext4, or reiserfs partition, a few security related mount options can be applied in /etc/fstab file. The options are:

nosuid
Ignores the SUID bit and makes it just like an ordinary file.
noexec
Prevents execution of files from this mount point.
nodev
Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, mounting the /tmp directory with noexec will stop the majority of exploits designed to be executed directly from temporary file systems.

For example, hardening the /etc/fstab file may look something like the following:

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       reiserfs notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      reiserfs notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       reiserfs notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0

Observe in the example that the /usr mount point is set to read-only mode. This system has been designed to write nothing to Template:Path/usr until updates are being applied. When it is time for system updates, /usr is remounted in read-write mode, updated, then returned to read-only. This small trick has the potential to keep a server more secure.

Warning
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.

Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider removing those options if they cause problems.

See also