[lug] Permissions in FSTAB
bgiles at coyotesong.com
Fri Dec 7 15:35:36 MST 2012
A quick PSA - nearly all of your partitions should be mounted nodev and
nosuid. There's just not any need for those flags outside of a few very
specific needs and if you permit it then an attacker can do all sorts of
mischief. I would add noexec as well but that occasionally causes problem.
For awhile I had set up apt so that it would automatically bracket updates
with 'mount -oremount,exec /tmp' and 'mount -oremount,noexec /tmp' and that
got rid of a lot of problems but some other legitimate apps also want to
create and run apps in /tmp. Things tend to fail quietly when that
partition doesn't have exec permission.
On Fri, Dec 7, 2012 at 11:37 AM, Ryan Newby <renewby at gmail.com> wrote:
> Thank you sir.
> On Fri, Dec 7, 2012 at 11:29 AM, Orion Poplawski <orion at cora.nwra.com>wrote:
>> On 12/07/2012 11:24 AM, Ryan Newby wrote:
>> > Can someone point me in the right direction on correctly setting
>> > on partitions via fstab?
>> > Running Ubuntu Server 12.04 on XenServer 6
>> > Trying to set the following permissions:
>> > / ro
>> > /var noexec,nosetuid
>> > /home nosetuid
>> > /tmp noexec,nosetuid
>> > /opt ro,nosetuid
>> > # I attempted to follow documentation via
>> > https://help.ubuntu.com/community/Fstab with no avail,.
>> > Testing with /home and the configuration below, I receive an error after
>> > rebooting "11.289552] EXT3-fs (xvda5): error: unrecognized mount option
>> > "nosetuid" or missing value"
>> > UUID=3a009b73-fd44-4829-b86a-fee8b383f517 /home ext3 nosetuid
>> > 0 2
>> > #Current config:
>> > <file system> <mount point> <type> <options> <dump> <pass>
>> > proc /proc proc nodev,noexec,nosuid 0 0
>> The option name is "nosuid".
>> Orion Poplawski
>> Technical Manager 303-415-9701 x222
>> NWRA, Boulder Office FAX: 303-415-9702
>> 3380 Mitchell Lane orion at nwra.com
>> Boulder, CO 80301 http://www.nwra.com
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> Ryan Newby
> email:renewby at gmail.com
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LUG