[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tightest fstab
Quoting David Krause (firstname.lastname@example.org):
> Hmm, just realized I'm running named with nodev on /var. Seems to be
> working fine, but dev/null is supposed to be there, so I'll have to
> investigate what effect this has on it. You might want to loosen up the
> noexec,nosuid on /var. This will break some ports when you try to
> install them. Other than that, and I don't have noatime, my fstab is
I'm a HUGE fan of not executing things from /var. For a TMP
dir (/usr/ports usage, etc), I define TMP_DIR to be another dir.
For chroot things, I have a small (<50MB) /JAIL partition that
contains the binaries that I need to chroot. It's readonly.
I mount /JAIL/data/ for things that change (hmmm, like namedb).
I wouldn't advocate normalizing that into the install, but chroot
is of limited use (see a year of discussions on firewalls and fwtk
lists). Chrooting into an important partition is more risky than
chrooting into a read only partition.
My rough rule (excepting /, too often) for the "tightest" configs:
If it's writable, its noexec,nodev,nosuid.
If it's readable, it can execute and such.
Scripts that are shoved in /tmp/ (ick) can be run via "sh /tmp/SCRIPT"
if need be.
As always with Unix, you use/need may vary.