Monday, April 26, 2010

Mount EXT3 partitions securely

The ext3 file system has several options you can apply to /etc/fstab. The option nosuid ignores the setuid and setgid bits, noexec forbids execution of any program on that mount point, nodev ignores device files. Having this in mind, here you go:
# /home was on /dev/sda9 during installation
UUID=... /home  ext3 defaults,noatime,nodiratime,nodev,nosuid  0 2
# /tmp was on /dev/sda8 during installation
UUID=... /tmp   ext3    defaults,noatime,nodiratime,nodev,nosuid,noexec  0 2
# /usr was on /dev/sda5 during installation
UUID=... /usr   ext3    defaults,noatime,nodiratime,nodev,ro  0 2
# /var was on /dev/sda6 during installation
UUID=... /var   ext3    defaults,noatime,nodiratime,nodev,noexec,nosuid  0 2
/dev/hda  /cdrom udf,iso9660 user,noauto,ro,nodev,nosuid,noexec 0 0
While you have /usr read-only you need remount it read-write while making the system upgrade.
mount -o remount, rw /usr && mount -o remount, exec /var
apt-get upgrade
reboot
Here is a way to remount partions back:
mount -o remount, ro /usr && mount -o remount, noexec /var
Since entering the above command takes some time you soon come up with a script, here they are just in case, file /usr/local/sbin/fs-write:
#!/bin/sh

/bin/mount -o remount,rw /usr || echo 'Failed to remount /usr rw'
/bin/mount -o remount,exec /var || echo 'Failed to remount /var exec'
/bin/mount -o remount,exec /tmp || echo 'Failed to remount /tmp exec'
and /usr/local/sbin/fs-readonly:
#!/bin/sh

/bin/mount -o remount,ro /usr || echo 'Failed to remount /usr ro'
/bin/mount -o remount,noexec /var \
|| echo 'Failed to remount /var noexec'
/bin/mount -o remount,noexec /tmp \
|| echo 'Failed to remount /tmp noexec'
See also this.

No comments :

Post a Comment