multiple partitions - useful mount options for extra security

Rudolf Floers r.floers at web.de
Fri Dec 15 12:10:40 PST 2000


> well think it's a good idea to mount var, tmp and maybe home rw,noexec
> and nodev. everything else could be mounted ro, but unless you use
> devfs you will run into problems with /dev mounted readonly.

i think it's not a good idea to use such a setup on development machines, but ona mail,pop3,firewall,ftp,.. server it does improve security.
you don't want to change files in /usr so often on such machines.

i also like the idea to put certain, security-concerning binaries on a maintenance cd. 
you could put the mount/umount command on that cd, too. and then use a special mount/umount binary on your servers harddisk. this special mount command should only be able to mount the cd drive - nothing else. if you also removed all other chances to remount your partitions off your system (perl, for instance), even a root couldn't modify/delete your read-only data and couldn't upload _and_ execute his own stuff. (unless the maintenance cd is in the drive..., of course)

...
just an idea. :-)

RF






More information about the lfs-security mailing list