Am 24.04.2013 17:12, schrieb Tanstaafl: > On 2013-04-24 8:48 AM, Florian Philipp <li...@binarywings.net> wrote: >>> One thing I'm trying to do is make the system as secure as >>> possible at the filesystem level, and I've read that making /tmp >>> and /var/tmp separate partitions so you can mount them >>> /nodev/noexec/nosuid is one way to make things a bit more >>> secure... > >> noexec won't work for portage so put PORTAGE_TMPDIR somewhere else. > > Ok, but - does it make sense to add the noexec option to /var/tmp? Is it > possible that there are other apps that need exec capability in there? >
It makes sense. Any world-writable directory should be noexec to make script injection harder. Other directories, too, like /var/www (if you can, i.e. no cgi). I cannot tell you if any application might need it. Try it. It is easy enough to revert, maybe even with a `mount -o remount`, I'm not sure. Also, look at http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec >>> On that note, I realized I can't make two /tmp's in lvm, so, I guess I >>> can make a vtmp, and just bind that to /var/tmp in fstab like: >>> >>> /dev/vg/vtmp /var/tmp ext4 nodev,noexec,nosuid 0 0 >>> >>> Will that work? > >> Sure why not but you should set the pass column to 2 instead of 0. > > What is the 'pass' column? Th 5th column is the 'dump' column, and the > 6th is the 'fsck' column, afaik? > Okay, your "fsck" column is called "pass" in my fstab. Anyway, a value of two means "fsck after root", one means "fsck as root" and 0 "no fsck". See `man fstab`. Obviously you want fsck. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
