Gentoo Logo

[ << ] [ < ] [ Home ] [ > ] [ >> ]


4. Mounting Partitions

4.a. Mounting partitions

When mounting an ext2, ext3, or reiserfs partition, you have several options you can apply to the file /etc/fstab. The options are:

  • nosuid - Will ignore the SUID bit and make it just like an ordinary file
  • noexec - Will prevent execution of files from this partition
  • nodev - Ignores devices

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

Code ListingĀ 1.1: /etc/fstab

/dev/sda1 /boot ext2 noauto,noatime 1 1
/dev/sda2 none swap sw 0 0
/dev/sda3 / reiserfs notail,noatime 0 0
/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
/dev/sda5 /var reiserfs notail,noatime,nodev 0 0
/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0

Warning: Placing /tmp in noexec mode can prevent certain scripts from executing properly.

Note: For disk quotas see the Quotas section.

Note: I do not set /var to noexec or nosuid, even if files normally are never executed from this mount point. The reason for this is that netqmail is installed in /var/qmail and must be allowed to execute and access one SUID file. I setup /usr in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again.

Note: Even if you do not use netqmail, Gentoo still needs the executable bit set on /var/tmp since ebuilds are made here. But an alternative path can be setup if you insist on having /var mounted in noexec mode.


[ << ] [ < ] [ Home ] [ > ] [ >> ]


Print

View all

Page updated March 31, 2012

Summary: /etc/fstab provides many security options.

Kim Nielsen
Author

John P. Davis
Editor

Eric R. Stockbridge
Editor

Carl Anderson
Editor

Jorge Paulo
Editor

Sven Vermeulen
Editor

Benny Chuang
Editor

Sune Jeppesen
Editor

Tiemo Kieft
Editor

Zack Gilburd
Editor

Dan Margolis
Editor

Joshua Saddler
Editor

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.