[TriLUG] Securing /etc/fstab
Mike McLean
mamclean at eos.ncsu.edu
Tue Dec 11 17:55:47 EST 2001
Jeremy P wrote:
> You should definitely NOT have the "user" option for these filesystems...
> "user" means "Allow an ordinary user to mount the file system." You don't
> want users mounting/unmounting core filesystems on a server! The "user"
> option is only appropriate on workstations for removeable drives, so you
> can mount a CD or floppy without su-ing to root.
Well, keep in mind the difference between user and users. With 'user'
only the user that mounted the filesystem (and root) can unmount it. So
if the filesystem is mounted at boot time by root, then only root will
be able to unmount it. So using the user option is probably ok, but I
think that it hides the actual intent.
> Also, you don't want "noexec" set for /home; otherwise users won't be able
> to run their own binaries. Are you really trying to be that draconian?
> I suppose that depending on your users it might be acceptable (you'd want
> to put YOUR home directory somewhere other than /home in that situation).
I reacted this way too at first, but it could make sense on certain
systems. If the machine is webserver and the only use for an account is
to post a web page, then this additional layer of insulation against
user exploits might be practical. For that matter, you might not even
let the users have shell access. Make them ftp or rsync their files in.
More information about the TriLUG
mailing list