Security Handbook/Mounting partitions

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Mounting partitions
User and group limitations
File permissions
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

/etc/fstab provides a few security options.

When mounting an ext2, ext3, ext4, or reiserfs partition, a few security related mount options can be applied in /etc/fstab. The options are:

Ignores the SUID bit and make it just like an ordinary file.
Prevents execution of files from this partition.
Ignores devices.

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

For example, a planning out fstab file may look something like the following:

FILE /etc/fstab
/dev/sda1          /boot      ext2     noauto,relatime                     1 2
/dev/sda2          none       swap     sw                                  0 0
/dev/sda3          /          ext4     relatime,errors=remount-ro          0 1
/dev/sda4          /var       reiserfs notail,relatime,nodev,nosuid,noexec 0 2
/dev/sda5          /var/tmp   ext2     noatime,nodiratime,nodev,nosuid     0 2
/dev/sda6          /home      reiserfs notail,relatime,nodev,nosuid        0 2
/dev/sda7          /usr       reiserfs notail,relatime,nodev,ro            0 2
/dev/cdroms/cdrom0 /mnt/cdrom iso9660  noauto,ro                           0 0
none               /tmp       tmpfs    nodev,nosuid,noexec                 0 0
Placing /tmp in noexec mode can prevent certain legitimate scripts from executing properly.
For disk quotas see the Quotas section.
Some programs (like mail-mta/netqmail) will not be able to work properly if /var has noexec and nosuid. Consider removing those options if they cause problems.
/usr is set to read-only mode because nothing is written there until updates are being applied. When it is time for system updates, remount the file system in read-write mode, updat,e and remount back to read-only. This small trick has the potential to keep a server more secure.