Gentoo Logo

[ << ] [ < ] [ Home ] [ > ] [ >> ]

4. Mounting Partitions

4.a. Mounting partitions

When mounting an ext2, ext3, or reiserfs partition, you have several options you can apply to the file /etc/fstab. The options are:

  • nosuid - Will ignore the SUID bit and make it just like an ordinary file
  • noexec - Will prevent execution of files from this partition
  • nodev - Ignores devices

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

Code ListingĀ 1.1: /etc/fstab

/dev/sda1 /boot ext2 noauto,noatime 1 1
/dev/sda2 none swap sw 0 0
/dev/sda3 / reiserfs notail,noatime 0 0
/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
/dev/sda5 /var reiserfs notail,noatime,nodev 0 0
/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0

Warning: Placing /tmp in noexec mode can prevent certain scripts from executing properly.

Note: For disk quotas see the Quotas section.

Note: I do not set /var to noexec or nosuid, even if files normally are never executed from this mount point. The reason for this is that netqmail is installed in /var/qmail and must be allowed to execute and access one SUID file. I setup /usr in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again.

Note: Even if you do not use netqmail, Gentoo still needs the executable bit set on /var/tmp since ebuilds are made here. But an alternative path can be setup if you insist on having /var mounted in noexec mode.

[ << ] [ < ] [ Home ] [ > ] [ >> ]


View all

Page updated March 31, 2012

Summary: /etc/fstab provides many security options.

Kim Nielsen

John P. Davis

Eric R. Stockbridge

Carl Anderson

Jorge Paulo

Sven Vermeulen

Benny Chuang

Sune Jeppesen

Tiemo Kieft

Zack Gilburd

Dan Margolis

Joshua Saddler

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.