multiple partitions - useful mount options for extra security

J.A. Neitzel jan at belvento.org
Fri Dec 15 05:27:06 PST 2000


On Thursday 14 December 2000 07:04, Rudolf Floers gave us this to ponder:
> > There are, of course, some non-default mount options that you can use
> > when mounting partitions that (can|may|might) help improve system
> > security. In particular, I think of the nosuid option... Does anyone
> > else use these or have thoughts on their use? See example below:
>
> well think it's a good idea to mount var, tmp and maybe home rw,noexec
> and nodev. everything else could be mounted ro, but unless you use
> devfs you will run into problems with /dev mounted readonly.
>
> whadda think?

I haven't really messed with anything but the defaults for /var because I 
am only now getting to where I have time to think about such things. For 
my own sanity though, I cannot mount anything ro because I am always 
installing something and remounting filesystems rw just to do that would, 
imho, be more trouble than it's worth...

Have you *ever* mounted /home with noexec ??? Just curious because 
$HOME/{.xinitrc,.xsession} won't be executable. Hence, no starting X by 
any of the normal methods. Besides that, I wouldn't be able to do noexec 
on /home anyway because that is one of my main places for compiling 
software ...

.... And I wouldn't be able to run any of my scripts in ~/bin ! =(

All options are good ideas though. I guess the key is that the SysAdmin 
for a site has to balance the restrictions of these options against the 
site's system-wide security policy to see which ones should be used.
-- 
Jeff





More information about the lfs-security mailing list