File System Partitioning - /var - Why nodev and noexec are not recommended?

Support for security such as Firewalls and securing linux

File System Partitioning - /var - Why nodev and noexec are not recommended?

Postby thingy » 2011/12/23 17:25:53

Hi

Re: Centos 6.2 and restrictive mount-flags

I've seen several examples for separating file systems into various partitions so that one can fine tune permissions and functionality but in each example, the author recommends mounting the /var partition as "defaults,nosuid".

Query: I was wondering if there was a reason why "nodev" is not recommended on Centos/RHEL/Fedora.

/dev/VG_OS/lv_var /var ext3 defaults,nosuid,nodev 1 2

I understand that "noexec" is not recommended as under /var, one may have websites which require exec permissions for CGI scripts.

regards,

jinesh

Example 1 - http://wiki.centos.org/HowTos/OS_Protection
Example 2 - http://myoss.belgoline.com/snippets/hardening-centos-5.5
Example 3 - http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
thingy
 
Posts: 1
Joined: 2011/12/23 17:14:38

File System Partitioning - /var - Why nodev and noexec are n

Postby unspawn » 2011/12/26 23:26:54

I was wondering if there was a reason why "nodev" is not recommended on Centos/RHEL/Fedora.

The Centos Wiki link clearly states "you'll need to modify this example to suit your own system", meaning that if using say "noexec,nosuid,nodev" does not hamper functionality in any way and if it provides clear benefits wrt security posture then you should feel free to use that by all means.


I understand that "noexec" is not recommended as under /var, one may have websites which require exec permissions for CGI scripts.

Yes, but only if one runs web sites requiring exec perms for CGI purposes. Same goes for /tmp as some apps will to execute items there. Just find out if any does (try 'auditctl -w /tmp -p wx -k TMP_watch;' or see a FUSE loggedfs example off-site) and how it affects functionality.
unspawn
 
Posts: 163
Joined: 2006/12/11 12:28:52


Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 0 guests