[linux-elitists] mount options frenzy!
Fri Mar 30 13:03:08 PST 2001
> Any comments on the usefulness security-wise of making everything except
> / and /usr nosuid,nodev? And of copious use of noexec?
> Here's a start...
> / defaults (ick...can we do better?)
You can make a fairly small slash readonly if you symlink /etc/mtab to
the instance in proc, and mount up other volumes for var, usr, tmp, home.
Most of the worldly crap is in usr anyway. It still has to be exec tho.
> /home nodev,nosuid (BOFHs add noexec and create /home/elitists/* for
> users allowed to exec stuff. Add noatime if the
> web tree lives here, for performance.)
> /mnt/* noauto,nodev,nosuid (possibly add "user" for desktop boxes)
> /opt /opt is for Solaris weenies and retards. /opt/foo should be
> /usr/lib/foo dammit.
lrwxrwxrwx 1 root root 8 Oct 14 1999 /opt -> /usr/local
> /tmp nodev,noexec,nosuid,noatime
> /usr ro,nodev (remount rw to update software)
> /var nodev,nosuid,noatime
Well, unless you think the flag items in /var/run may actually care about
it. /var/log and /var/spool can be extra mount or point into a noatime
volume. Why do you need exec's in var?
. | . Heather Stern | firstname.lastname@example.org
--->*<--- Starshine Technical Services - * - email@example.com
' | ` Sysadmin Support and Training | (800) 938-4078
More information about the linux-elitists