[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Partition mount options (was Re: apg-get: "Can't exec "/var...)



on Mon, Nov 27, 2000 at 11:51:10AM -0800, Joey Hess (joeyh@debian.org) wrote:
> kmself@ix.netcom.com wrote:
> > Damn, you're good:
> > 
> >     $ mount | grep '/var '
> >     /dev/sdb6 on /var type ext2 (rw,noexec,nosuid,nodev)
> > 
> > ...I figured it was a security bonus -- no executables in variable
> > content filesystems.  I'll have to rethink that one, clearly.
> 
> I would feel bad and offer to change debconf, but I suspect you will see
> similar problems when installing any package with a perinst script, or
> probably any other maintainer script for that matter.

I suspect this isn't something Debian can fix and make go away.

Following discussion here a few weeks ago, I tweaked several of my
partition mount options, specifically disallowing suid, dev, and exec
privileges on a number of partitions.  I suspect 'noexec' is going to be
a bit problematic in a number of places.  I've since changed /var to
allow 'exec' privileges. 


  # <fs>   <mountpt>  <type> <options>		<dump> <pass>
  /dev/hda3  /		ext2 defaults,errors=remount-ro   		0 1

  /dev/sdb5  /tmp 	ext2 defaults,nosuid,noexec,nodev 		0 2
  /dev/sdb6  /var 	ext2 defaults,nosuid,nodev			0 2
  /dev/hda5  /var/spool/news ext2 defaults,nosuid,noexec,nodev 		0 2
  /dev/sda5  /usr 	ext2 defaults,ro,nodev 				0 2
  /dev/sdb7  /usr/local ext2 defaults,ro,nosuid,nodev 			0 2
  /dev/sda7  /home 	ext2 defaults,nosuid,nodev			0 2

  /dev/hdc   /mnt/cdrom iso9660 noauto,user,ro,nodev,nosuid		2 2
  /dev/fd0   /mnt/floppy auto noauto,gid=disk,umask=007,rw,user 	2 2

Note that 'user' implies noexec, nosuid, and nodev.

Thoughts, anyone?

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgpLtWtyFVmi1.pgp
Description: PGP signature


Reply to: