Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Firewalls
Intrusion detection
Staying up-to-date

/etc/fstab provides many security options.

When mounting an ext2, ext3, or reiserfs partition, you have several options you can apply to the file /etc/fstab. The options are:

  • nosuid - Will ignore the SUID bit and make it just like an ordinary file.
  • noexec - Will prevent execution of files from this partition.
  • nodev - Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       reiserfs notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      reiserfs notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       reiserfs notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0
Warning
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.
Note
For disk quotas see the Quotas section.
Note
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider to remove those options if you are in this case.
Note
I setup /usr in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again.