When mounting an ext2, ext3, or reiserfs partition, you
have several options you can apply to the file /etc/fstab. The
nosuid - Will ignore the SUID bit and make it just like an ordinary
noexec - Will prevent execution of files from this partition
nodev - Ignores devices
Unfortunately, these settings can easily be circumvented by executing a
non-direct path. However, setting /tmp to noexec will stop the
majority of exploits designed to be executed directly from /tmp.
Code Listing 1.1: /etc/fstab
/dev/sda1 /boot ext2 noauto,noatime 1 1
/dev/sda2 none swap sw 0 0
/dev/sda3 / reiserfs notail,noatime 0 0
/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0
/dev/sda5 /var reiserfs notail,noatime,nodev 0 0
/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0
Placing /tmp in noexec mode can prevent certain scripts
from executing properly.
For disk quotas see (the Quotas section).
I do not set /var to noexec or nosuid, even if files
normally are never executed from this mount point. The reason for this is that
netqmail is installed in /var/qmail and must be allowed to execute
and access one SUID file. I setup /usr in read-only mode since I
never write anything there unless I want to update Gentoo. Then I remount the
file system in read-write mode, update and remount again.
Even if you do not use netqmail, Gentoo still needs the executable bit set on
/var/tmp since ebuilds are made here. But an alternative path can
be setup if you insist on having /var mounted in noexec