Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Firewalls
Intrusion detection
Staying up-to-date

/etc/fstab provides a few security options.

When mounting an ext2, ext3, ext4, or reiserfs partition, a few security related mount options can be applied in /etc/fstab. The options are:

nosuid 
Ignores the SUID bit and make it just like an ordinary file.
noexec 
Prevents execution of files from this partition.
nodev 
Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

For example, a planning out fstab file may look something like the following:

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       reiserfs notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      reiserfs notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       reiserfs notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0
Warning
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.
Note
For disk quotas see the Quotas section.
Note
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider removing those options if they cause problems.
Note
/usr is set to read-only mode because nothing is written there until updates are being applied. When it is time for system updates, remount the file system in read-write mode, updat,e and remount back to read-only. This small trick has the potential to keep a server more secure.