Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Mounting partitions
User and group limitations
File permissions
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

/etc/fstab provides many security options.

When mounting an ext2, ext3, or reiserfs partition, you have several options you can apply to the file /etc/fstab. The options are:

  • nosuid - Will ignore the SUID bit and make it just like an ordinary file.
  • noexec - Will prevent execution of files from this partition.
  • nodev - Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       reiserfs notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      reiserfs notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       reiserfs notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.
For disk quotas see the Quotas section.
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider to remove those options if you are in this case.
I setup /usr in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again.