Security Handbook/Mounting partitions
/etc/fstab provides a few security options.
- Ignores the SUID bit and make it just like an ordinary file.
- Prevents execution of files from this partition.
- Ignores devices.
Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to
noexec will stop the majority of exploits designed to be executed directly from /tmp.
For example, a planning out fstab file may look something like the following:
/dev/sda1 /boot ext2 noauto,relatime 1 2 /dev/sda2 none swap sw 0 0 /dev/sda3 / ext4 relatime,errors=remount-ro 0 1 /dev/sda4 /var reiserfs notail,relatime,nodev,nosuid,noexec 0 2 /dev/sda5 /var/tmp ext2 noatime,nodiratime,nodev,nosuid 0 2 /dev/sda6 /home reiserfs notail,relatime,nodev,nosuid 0 2 /dev/sda7 /usr reiserfs notail,relatime,nodev,ro 0 2 /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0 none /tmp tmpfs nodev,nosuid,noexec 0 0
Placing /tmp in
noexecmode can prevent certain legitimate scripts from executing properly.
For disk quotas see the Quotas section.
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has
nosuid. Consider removing those options if they cause problems.
/usr is set to read-only mode because nothing is written there until updates are being applied. When it is time for system updates, remount the file system in read-write mode, updat,e and remount back to read-only. This small trick has the potential to keep a server more secure.