[lug] Permissions in FSTAB

Bear Giles bgiles at coyotesong.com
Fri Dec 7 15:35:36 MST 2012 

A quick PSA - nearly all of your partitions should be mounted nodev and
nosuid. There's just not any need for those flags outside of a few very
specific needs and if you permit it then an attacker can do all sorts of
mischief.  I would add noexec as well but that occasionally causes problem.

For awhile I had set up apt so that it would automatically bracket updates
with 'mount -oremount,exec /tmp' and 'mount -oremount,noexec /tmp' and that
got rid of a lot of problems but some other legitimate apps also want to
create and run apps in /tmp. Things tend to fail quietly when that
partition doesn't have exec permission.






On Fri, Dec 7, 2012 at 11:37 AM, Ryan Newby <renewby at gmail.com> wrote:

> Thank you sir.
>
>
> On Fri, Dec 7, 2012 at 11:29 AM, Orion Poplawski <orion at cora.nwra.com>wrote:
>
>> On 12/07/2012 11:24 AM, Ryan Newby wrote:
>> > Can someone point me in the right direction on correctly setting
>> permissions
>> > on partitions via fstab?
>> >
>> > Running Ubuntu Server 12.04 on XenServer 6
>> >
>> > Trying to set the following permissions:
>> >
>> > / ro
>> > /var noexec,nosetuid
>> > /home nosetuid
>> > /tmp noexec,nosetuid
>> > /opt ro,nosetuid
>> >
>> > # I attempted to follow documentation via
>> > https://help.ubuntu.com/community/Fstab with no avail,.
>> > Testing with /home and the configuration below, I receive an error after
>> > rebooting "11.289552] EXT3-fs (xvda5): error: unrecognized mount option
>> > "nosetuid" or missing value"
>> >
>> > UUID=3a009b73-fd44-4829-b86a-fee8b383f517 /home       ext3    nosetuid
>> >           0       2
>> >
>> >
>> > #Current config:
>> >
>> >   <file system> <mount point>   <type>  <options>       <dump>  <pass>
>> > proc            /proc           proc    nodev,noexec,nosuid 0       0
>>                                                         ^^^^^^
>> The option name is "nosuid".
>>
>>
>>
>> --
>> Orion Poplawski
>> Technical Manager                     303-415-9701 x222
>> NWRA, Boulder Office                  FAX: 303-415-9702
>> 3380 Mitchell Lane                       orion at nwra.com
>> Boulder, CO 80301                   http://www.nwra.com
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>
>
>
> --
> Ryan Newby
> email:renewby at gmail.com
> phone:303-720-9498
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20121207/52b0851d/attachment.html>

More information about the LUG mailing list