Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
Concepts
General Guidance
Boot Path Security
Information Security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
Kernel security
Firewalls and Network Security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

System administrators should consider available security related mount options in order to harden any devices that are connected to the system.

When mounting a partition, be it Btrfs, ext4, or XFS, a few security related mount options can be applied in /etc/fstab file to harden the mountpoint and provide better security to the system at large. Some options include:

nosuid
Ignores the SUID bit and makes it just like an ordinary file.
noexec
Prevents execution of files from this mount point.
nodev
Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, mounting the /tmp directory with noexec will stop the majority of exploits designed to be executed directly from temporary file systems.

For example, hardening the /etc/fstab file may look something like the following:

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       ext4     notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      ext4     notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       ext4     notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0

Observe in the example that the /usr mount point is set to read-only mode. This system has been designed to write nothing to /usr until updates are being applied. When it is time for system updates, /usr is remounted in read-write mode, updated, then returned to read-only. This small trick has the potential to keep a server more secure.

Warning
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.

Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider removing those options if they cause problems.

See also