Gentoo Logo

1.  Mounting partitions

When mounting an ext2, ext3, or reiserfs partition, you have several options you can apply to the file /etc/fstab. The options are:

  • nosuid - Will ignore the SUID bit and make it just like an ordinary file
  • noexec - Will prevent execution of files from this partition
  • nodev - Ignores devices

Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting /tmp to noexec will stop the majority of exploits designed to be executed directly from /tmp.

Code Listing 1.1: /etc/fstab

/dev/sda1 /boot ext2 noauto,noatime 1 1
/dev/sda2 none swap sw 0 0
/dev/sda3 / reiserfs notail,noatime 0 0
/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
/dev/sda5 /var reiserfs notail,noatime,nodev 0 0
/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0

Warning: Placing /tmp in noexec mode can prevent certain scripts from executing properly.

Note: For disk quotas see (the Quotas section).

Note: I do not set /var to noexec or nosuid, even if files normally are never executed from this mount point. The reason for this is that netqmail is installed in /var/qmail and must be allowed to execute and access one SUID file. I setup /usr in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again.

Note: Even if you do not use netqmail, Gentoo still needs the executable bit set on /var/tmp since ebuilds are made here. But an alternative path can be setup if you insist on having /var mounted in noexec mode.

Page updated March 31, 2012

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.