The ext3 file system has several options you can apply to
/etc/fstab. The option
nosuid ignores the setuid and setgid bits,
noexec forbids execution of any program on that mount point,
nodev ignores device files. Having this in mind, here you go:
# /home was on /dev/sda9 during installation
UUID=... /home ext3 defaults,noatime,nodiratime,nodev,nosuid 0 2
# /tmp was on /dev/sda8 during installation
UUID=... /tmp ext3 defaults,noatime,nodiratime,nodev,nosuid,noexec 0 2
# /usr was on /dev/sda5 during installation
UUID=... /usr ext3 defaults,noatime,nodiratime,nodev,ro 0 2
# /var was on /dev/sda6 during installation
UUID=... /var ext3 defaults,noatime,nodiratime,nodev,noexec,nosuid 0 2
/dev/hda /cdrom udf,iso9660 user,noauto,ro,nodev,nosuid,noexec 0 0
While you have
/usr read-only you need remount it read-write while making the system upgrade.
mount -o remount, rw /usr && mount -o remount, exec /var
apt-get upgrade
reboot
Here is a way to remount partions back:
mount -o remount, ro /usr && mount -o remount, noexec /var
Since entering the above command takes some time you soon come up with a script, here they are just in case, file
/usr/local/sbin/fs-write:
#!/bin/sh
/bin/mount -o remount,rw /usr || echo 'Failed to remount /usr rw'
/bin/mount -o remount,exec /var || echo 'Failed to remount /var exec'
/bin/mount -o remount,exec /tmp || echo 'Failed to remount /tmp exec'
and
/usr/local/sbin/fs-readonly:
#!/bin/sh
/bin/mount -o remount,ro /usr || echo 'Failed to remount /usr ro'
/bin/mount -o remount,noexec /var \
|| echo 'Failed to remount /var noexec'
/bin/mount -o remount,noexec /tmp \
|| echo 'Failed to remount /tmp noexec'
See also
this.
No comments :
Post a Comment