/[gentoo]/xml/htdocs/doc/en/security/shb-mounting.xml
Gentoo

Contents of /xml/htdocs/doc/en/security/shb-mounting.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.5 - (hide annotations) (download) (as text)
Sat Mar 31 13:19:50 2012 UTC (2 years, 5 months ago) by swift
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +3 -4 lines
File MIME type: application/xml
Fix #410039 - Drop /usr reference from example partition layout in security handbook

1 neysx 1.1 <?xml version='1.0' encoding='UTF-8'?>
2 swift 1.5 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.4 2007/03/07 02:14:16 nightmorph Exp $ -->
3 neysx 1.1 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
4    
5     <!-- The content of this document is licensed under the CC-BY-SA license -->
6     <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
7    
8     <sections>
9    
10 swift 1.5 <version>2</version>
11     <date>2012-03-31</date>
12 neysx 1.1
13     <section>
14     <title>Mounting partitions</title>
15     <body>
16    
17     <p>
18     When mounting an <c>ext2</c>, <c>ext3</c>, or <c>reiserfs</c> partition, you
19     have several options you can apply to the file <path>/etc/fstab</path>. The
20     options are:
21     </p>
22    
23     <ul>
24     <li>
25 neysx 1.3 <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
26 neysx 1.1 file
27     </li>
28     <li>
29     <c>noexec</c> - Will prevent execution of files from this partition
30     </li>
31     <li>
32     <c>nodev</c> - Ignores devices
33     </li>
34     </ul>
35    
36     <p>
37     Unfortunately, these settings can easily be circumvented by executing a
38     non-direct path. However, setting <path>/tmp</path> to noexec will stop the
39     majority of exploits designed to be executed directly from <path>/tmp</path>.
40     </p>
41    
42     <pre caption="/etc/fstab">
43     /dev/sda1 /boot ext2 noauto,noatime 1 1
44     /dev/sda2 none swap sw 0 0
45     /dev/sda3 / reiserfs notail,noatime 0 0
46     /dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
47     /dev/sda5 /var reiserfs notail,noatime,nodev 0 0
48     /dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
49     /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
50     proc /proc proc defaults 0 0
51     </pre>
52    
53     <warn>
54     Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts
55     from executing properly.
56     </warn>
57    
58     <note>
59 neysx 1.2 For disk quotas see <uri link="?part=1&amp;chap=5#quotas">the Quotas section</uri>.
60 neysx 1.1 </note>
61    
62     <note>
63     I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files
64     normally are never executed from this mount point. The reason for this is that
65 nightmorph 1.4 netqmail is installed in <path>/var/qmail</path> and must be allowed to execute
66 neysx 1.3 and access one SUID file. I setup <path>/usr</path> in read-only mode since I
67     never write anything there unless I want to update Gentoo. Then I remount the
68 neysx 1.1 file system in read-write mode, update and remount again.
69     </note>
70    
71     <note>
72 nightmorph 1.4 Even if you do not use netqmail, Gentoo still needs the executable bit set on
73 neysx 1.1 <path>/var/tmp</path> since ebuilds are made here. But an alternative path can
74     be setup if you insist on having <path>/var</path> mounted in <c>noexec</c>
75     mode.
76     </note>
77    
78     </body>
79     </section>
80     </sections>

  ViewVC Help
Powered by ViewVC 1.1.20