| 1 | <?xml version='1.0' encoding='UTF-8'?> |
1 | <?xml version='1.0' encoding='UTF-8'?> |
| 2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.4 2007/03/07 02:14:16 nightmorph Exp $ --> |
| 3 | <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
3 | <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
| 4 | |
4 | |
| 5 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
5 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
| 6 | <!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
6 | <!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
| 7 | |
7 | |
| … | |
… | |
| 61 | </note> |
61 | </note> |
| 62 | |
62 | |
| 63 | <note> |
63 | <note> |
| 64 | I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files |
64 | I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files |
| 65 | normally are never executed from this mount point. The reason for this is that |
65 | normally are never executed from this mount point. The reason for this is that |
| 66 | qmail is installed in <path>/var/qmail</path> and must be allowed to execute |
66 | netqmail is installed in <path>/var/qmail</path> and must be allowed to execute |
| 67 | and access one SUID file. I setup <path>/usr</path> in read-only mode since I |
67 | and access one SUID file. I setup <path>/usr</path> in read-only mode since I |
| 68 | never write anything there unless I want to update Gentoo. Then I remount the |
68 | never write anything there unless I want to update Gentoo. Then I remount the |
| 69 | file system in read-write mode, update and remount again. |
69 | file system in read-write mode, update and remount again. |
| 70 | </note> |
70 | </note> |
| 71 | |
71 | |
| 72 | <note> |
72 | <note> |
| 73 | Even if you do not use qmail, Gentoo still needs the executable bit set on |
73 | Even if you do not use netqmail, Gentoo still needs the executable bit set on |
| 74 | <path>/var/tmp</path> since ebuilds are made here. But an alternative path can |
74 | <path>/var/tmp</path> since ebuilds are made here. But an alternative path can |
| 75 | be setup if you insist on having <path>/var</path> mounted in <c>noexec</c> |
75 | be setup if you insist on having <path>/var</path> mounted in <c>noexec</c> |
| 76 | mode. |
76 | mode. |
| 77 | </note> |
77 | </note> |
| 78 | |
78 | |
Parent Directory
| 
Revision Log
| 
Patch