/[gentoo]/xml/htdocs/doc/en/security/shb-mounting.xml
Gentoo

Contents of /xml/htdocs/doc/en/security/shb-mounting.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.5 - (show annotations) (download) (as text)
Sat Mar 31 13:19:50 2012 UTC (2 years, 8 months ago) by swift
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +3 -4 lines
File MIME type: application/xml
Fix #410039 - Drop /usr reference from example partition layout in security handbook

1 <?xml version='1.0' encoding='UTF-8'?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.4 2007/03/07 02:14:16 nightmorph Exp $ -->
3 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
4
5 <!-- The content of this document is licensed under the CC-BY-SA license -->
6 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
7
8 <sections>
9
10 <version>2</version>
11 <date>2012-03-31</date>
12
13 <section>
14 <title>Mounting partitions</title>
15 <body>
16
17 <p>
18 When mounting an <c>ext2</c>, <c>ext3</c>, or <c>reiserfs</c> partition, you
19 have several options you can apply to the file <path>/etc/fstab</path>. The
20 options are:
21 </p>
22
23 <ul>
24 <li>
25 <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
26 file
27 </li>
28 <li>
29 <c>noexec</c> - Will prevent execution of files from this partition
30 </li>
31 <li>
32 <c>nodev</c> - Ignores devices
33 </li>
34 </ul>
35
36 <p>
37 Unfortunately, these settings can easily be circumvented by executing a
38 non-direct path. However, setting <path>/tmp</path> to noexec will stop the
39 majority of exploits designed to be executed directly from <path>/tmp</path>.
40 </p>
41
42 <pre caption="/etc/fstab">
43 /dev/sda1 /boot ext2 noauto,noatime 1 1
44 /dev/sda2 none swap sw 0 0
45 /dev/sda3 / reiserfs notail,noatime 0 0
46 /dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
47 /dev/sda5 /var reiserfs notail,noatime,nodev 0 0
48 /dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
49 /dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
50 proc /proc proc defaults 0 0
51 </pre>
52
53 <warn>
54 Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts
55 from executing properly.
56 </warn>
57
58 <note>
59 For disk quotas see <uri link="?part=1&amp;chap=5#quotas">the Quotas section</uri>.
60 </note>
61
62 <note>
63 I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files
64 normally are never executed from this mount point. The reason for this is that
65 netqmail is installed in <path>/var/qmail</path> and must be allowed to execute
66 and access one SUID file. I setup <path>/usr</path> in read-only mode since I
67 never write anything there unless I want to update Gentoo. Then I remount the
68 file system in read-write mode, update and remount again.
69 </note>
70
71 <note>
72 Even if you do not use netqmail, Gentoo still needs the executable bit set on
73 <path>/var/tmp</path> since ebuilds are made here. But an alternative path can
74 be setup if you insist on having <path>/var</path> mounted in <c>noexec</c>
75 mode.
76 </note>
77
78 </body>
79 </section>
80 </sections>

  ViewVC Help
Powered by ViewVC 1.1.20