Re: tightest fstab

[Chuck Yerkes <chuck+obsd@snew.com>]

Quoting David Krause (openbsd@davidkrause.com):
...
> Hmm, just realized I'm running named with nodev on /var.  Seems to be
> working fine, but dev/null is supposed to be there, so I'll have to
> investigate what effect this has on it.  You might want to loosen up the
> noexec,nosuid on /var.  This will break some ports when you try to
> install them.  Other than that, and I don't have noatime, my fstab is

I'm a HUGE fan of not executing things from /var.  For a TMP
dir (/usr/ports usage, etc), I define TMP_DIR to be another dir.

For chroot things, I have a small (<50MB) /JAIL partition that
contains the binaries that I need to chroot.  It's readonly.
I mount /JAIL/data/ for things that change (hmmm, like namedb).

I wouldn't advocate normalizing that into the install, but chroot
is of limited use (see a year of discussions on firewalls and fwtk
lists).  Chrooting into an important partition is more risky than
chrooting into a read only partition.

My rough rule (excepting /, too often) for the "tightest" configs:
If it's writable, its noexec,nodev,nosuid.
If it's readable, it can execute and such.

Scripts that are shoved in /tmp/ (ick) can be run via "sh /tmp/SCRIPT"
if need be.

As always with Unix, you use/need may vary.