Security Handbook/Mounting partitions
System administrators should consider available security related mount options in order to harden any devices that are connected to the system.
When mounting a partition, be it Btrfs, ext4, or XFS, a few security related mount options can be applied in /etc/fstab file to harden the mountpoint and provide better security to the system at large. Some options include:
- Ignores the SUID bit and makes it just like an ordinary file.
- Prevents execution of files from this mount point.
- Ignores devices.
Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, mounting the /tmp directory with
noexec will stop the majority of exploits designed to be executed directly from temporary file systems.
For example, hardening the /etc/fstab file may look something like the following:
/dev/sda1 /boot ext2 noauto,relatime 1 2 /dev/sda2 none swap sw 0 0 /dev/sda3 / ext4 relatime,errors=remount-ro 0 1 /dev/sda4 /var reiserfs notail,relatime,nodev,nosuid,noexec 0 2 /dev/sda5 /var/tmp ext2 noatime,nodiratime,nodev,nosuid 0 2 /dev/sda6 /home reiserfs notail,relatime,nodev,nosuid 0 2 /dev/sda7 /usr reiserfs notail,relatime,nodev,ro 0 2 /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0 none /tmp tmpfs nodev,nosuid,noexec 0 0
Observe in the example that the /usr mount point is set to read-only mode. This system has been designed to write nothing to /usr until updates are being applied. When it is time for system updates, /usr is remounted in read-write mode, updated, then returned to read-only. This small trick has the potential to keep a server more secure.
Placing /tmp in
noexecmode can prevent certain legitimate scripts from executing properly.
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has
nosuid. Consider removing those options if they cause problems.
- Disk quotas - Enforcing disk quotas.