Hi
Re: Centos 6.2 and restrictive mount-flags
I've seen several examples for separating file systems into various partitions so that one can fine tune permissions and functionality but in each example, the author recommends mounting the /var partition as "defaults,nosuid".
Query: I was wondering if there was a reason why "nodev" is not recommended on Centos/RHEL/Fedora.
/dev/VG_OS/lv_var /var ext3 defaults,nosuid,nodev 1 2
I understand that "noexec" is not recommended as under /var, one may have websites which require exec permissions for CGI scripts.
regards,
jinesh
Example 1 - [url=http://wiki.centos.org/HowTos/OS_Protection]http://wiki.centos.org/HowTos/OS_Protection[/url]
Example 2 - [url=http://myoss.belgoline.com/snippets/hardening-centos-5.5]http://myoss.belgoline.com/snippets/hardening-centos-5.5[/url]
Example 3 - [url=http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf]http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf[/url]
File System Partitioning - /var - Why nodev and noexec are not recommended?
File System Partitioning - /var - Why nodev and noexec are n
[quote]I was wondering if there was a reason why "nodev" is not recommended on Centos/RHEL/Fedora.[/quote]
The Centos Wiki link clearly states [i]"you'll need to modify this example to suit your own system"[/i], meaning that if using say "noexec,nosuid,nodev" does not hamper functionality in any way and if it provides clear benefits wrt security posture then you should feel free to use that by all means.
[quote]I understand that "noexec" is not recommended as under /var, one may have websites which require exec permissions for CGI scripts.[/quote]
Yes, but only [i]if[/i] one runs web sites requiring exec perms for CGI purposes. Same goes for /tmp as some apps will to execute items there. Just find out if any does (try 'auditctl -w /tmp -p wx -k TMP_watch;' or see a FUSE loggedfs example [url=http://www.linuxquestions.org/questions/linux-security-4/auditd-missing-syscalls-813645/#post4001946]off-site[/url]) and how it affects functionality.
The Centos Wiki link clearly states [i]"you'll need to modify this example to suit your own system"[/i], meaning that if using say "noexec,nosuid,nodev" does not hamper functionality in any way and if it provides clear benefits wrt security posture then you should feel free to use that by all means.
[quote]I understand that "noexec" is not recommended as under /var, one may have websites which require exec permissions for CGI scripts.[/quote]
Yes, but only [i]if[/i] one runs web sites requiring exec perms for CGI purposes. Same goes for /tmp as some apps will to execute items there. Just find out if any does (try 'auditctl -w /tmp -p wx -k TMP_watch;' or see a FUSE loggedfs example [url=http://www.linuxquestions.org/questions/linux-security-4/auditd-missing-syscalls-813645/#post4001946]off-site[/url]) and how it affects functionality.