1 |
Am 24.04.2013 17:12, schrieb Tanstaafl: |
2 |
> On 2013-04-24 8:48 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
3 |
>>> One thing I'm trying to do is make the system as secure as |
4 |
>>> possible at the filesystem level, and I've read that making /tmp |
5 |
>>> and /var/tmp separate partitions so you can mount them |
6 |
>>> /nodev/noexec/nosuid is one way to make things a bit more |
7 |
>>> secure... |
8 |
> |
9 |
>> noexec won't work for portage so put PORTAGE_TMPDIR somewhere else. |
10 |
> |
11 |
> Ok, but - does it make sense to add the noexec option to /var/tmp? Is it |
12 |
> possible that there are other apps that need exec capability in there? |
13 |
> |
14 |
|
15 |
It makes sense. Any world-writable directory should be noexec to make |
16 |
script injection harder. Other directories, too, like /var/www (if you |
17 |
can, i.e. no cgi). I cannot tell you if any application might need it. |
18 |
Try it. It is easy enough to revert, maybe even with a `mount -o |
19 |
remount`, I'm not sure. |
20 |
|
21 |
Also, look at |
22 |
http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec |
23 |
|
24 |
>>> On that note, I realized I can't make two /tmp's in lvm, so, I guess I |
25 |
>>> can make a vtmp, and just bind that to /var/tmp in fstab like: |
26 |
>>> |
27 |
>>> /dev/vg/vtmp /var/tmp ext4 nodev,noexec,nosuid 0 0 |
28 |
>>> |
29 |
>>> Will that work? |
30 |
> |
31 |
>> Sure why not but you should set the pass column to 2 instead of 0. |
32 |
> |
33 |
> What is the 'pass' column? Th 5th column is the 'dump' column, and the |
34 |
> 6th is the 'fsck' column, afaik? |
35 |
> |
36 |
|
37 |
Okay, your "fsck" column is called "pass" in my fstab. Anyway, a value |
38 |
of two means "fsck after root", one means "fsck as root" and 0 "no |
39 |
fsck". See `man fstab`. Obviously you want fsck. |
40 |
|
41 |
Regards, |
42 |
Florian Philipp |