[linux-elitists] mount options frenzy!

Heather star@betelgeuse.starshine.org
Fri Mar 30 13:03:08 PST 2001


> Any comments on the usefulness security-wise of making everything except
> / and /usr nosuid,nodev?  And of copious use of noexec?
> 
> Here's a start...
> 
> /      defaults (ick...can we do better?)

You can make a fairly small slash readonly if you symlink /etc/mtab to
the instance in proc, and mount up other volumes for var, usr, tmp, home.

Most of the worldly crap is in usr anyway.  It still has to be exec tho.

> /home  nodev,nosuid  (BOFHs add noexec and create /home/elitists/* for
>                       users allowed to exec stuff.  Add noatime if the
>                       web tree lives here, for performance.)
> 
> /mnt/* noauto,nodev,nosuid  (possibly add "user" for desktop boxes)
> 
> /opt   /opt is for Solaris weenies and retards.  /opt/foo should be 
>        /usr/lib/foo dammit.

lrwxrwxrwx   1 root     root            8 Oct 14  1999 /opt -> /usr/local

> /tmp   nodev,noexec,nosuid,noatime
> 
> /usr   ro,nodev (remount rw to update software)
> 
> /var   nodev,nosuid,noatime

Well, unless you think the flag items in /var/run may actually care about 
it.  /var/log  and  /var/spool can be extra mount or point into a noatime
volume.  Why do you need exec's in var?

  . | .   Heather Stern                  |         star@starshine.org
--->*<--- Starshine Technical Services - * - consulting@starshine.org
  ' | `   Sysadmin Support and Training  |        (800) 938-4078



More information about the linux-elitists mailing list