Re: Securing Debian Manual: 4.9 Mounting partitions the right way

[Kelly Clowers <kelly.clowers@gmail.com>]

On Thu, Mar 8, 2012 at 15:39, Andrei POPESCU <andreimpopescu@gmail.com> wrote:
> On Jo, 08 mar 12, 17:07:21, Stayvoid wrote:
>> Hello.
>>
>> "This sounds great, but it: only applies to ext2 or ext3 file systems…" [1]
>> What about ext4 (and others)?
>
> You may safely assume ext4 includes any features that ext2 and ext3
> include.
>

nosuid, nodev, etc can be applied to at least xfs, jfs, reiserfs/reiser4, btrfs
and probably others. Ntfs, fat32, hfs, etc maybe, maybe not. Those flags
are probably implemented largely in the vfs layer.

Ah, yes, from Linux 3.1, /include/linux/fs.h:

/*
* These are the fs-independent mount-flags: up to 32 flags are supported
*/
#define MS_RDONLY        1      /* Mount read-only */
#define MS_NOSUID        2      /* Ignore suid and sgid bits */
#define MS_NODEV         4      /* Disallow access to device special files */
#define MS_NOEXEC        8      /* Disallow program execution */
....

Not really sure why it says it is ext* only.
Also worth noting: as we move to a cleaned up FS with /run and
/tmp a tmpfs by default, it might be easier to make /var and /tmp
noexec... var especially doesn't seem to me to have any business
having executable files.


Cheers,
Kelly Clowers