[linux-elitists] mount options frenzy!

Don Marti dmarti@zgp.org
Thu Mar 29 12:36:19 PST 2001


If you read Linux documentation or articles, as I think you do, you
occasionally come across a tip such as "Mount /home nosuid" or "mount
the web tree noatime" or "mount /usr read-only"

Well, it's time for the elitists of the world to go through our fstabs
and say what we're mounting how, so that I can create the Canonical
Mount Options Chart to educate those less elite than ourselves. 

Any comments on the usefulness security-wise of making everything except
/ and /usr nosuid,nodev?  And of copious use of noexec?

Here's a start...

/      defaults (ick...can we do better?)

/home  nodev,nosuid  (BOFHs add noexec and create /home/elitists/* for
                      users allowed to exec stuff.  Add noatime if the
                      web tree lives here, for performance.)

/mnt/* noauto,nodev,nosuid  (possibly add "user" for desktop boxes)

/opt   /opt is for Solaris weenies and retards.  /opt/foo should be 
       /usr/lib/foo dammit.

/tmp   nodev,noexec,nosuid,noatime

/usr   ro,nodev (remount rw to update software)

/var   nodev,nosuid,noatime

-- 
Don Marti              "I've never sent or received a GIF in my life." 
dmarti@zgp.org            -- Bruce Schneier, Secrets and Lies, p. 246.
http://zgp.org/~dmarti/        (Free the Web: http://burnallgifs.org/)



More information about the linux-elitists mailing list