Securing-Optimizing-RH-Linux-1_2_52
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
52
session
required /lib/security/pam_limits.so
#session
optional /lib/security/pam_console.so
24. More control on mounting a file system
You can have more control on mounting a file system like /home and /tmp partitions with some
nifty options like noexec, nodev, and nosuid. This can be setup in the /etc/fstab text file. The
fstab file contains descriptive information about the various file systems mount options; each line
addresses one file system.
Information related to security options in the fstab text file are:
defaults
Allow everything (quota, read-write, and suid) on this partition.
noquota
Do not set users quotas on this partition.
nosuid
Do not set SUID/SGID access on this partition.
nodev
Do not set character or special devices access on this partition.
noexec
Do not set execution of any binaries on this partition.
quota
Allow users quotas on this partition.
ro
Allow read-only on this partition.
rw
Allow read-write on this partition.
suid
Allow SUID/SGID access on this partition.
NOTE: For more information on options that you can set in this file (fstab), see the man pages
about mount (8).
Edit the fstab file (vi /etc/fstab) and change depending of your needs:
/dev/sda11
/tmp
ext2 defaults 1 2
/dev/sda6
/home
ext2 defaults 1 2
To read:
/dev/sda11
/tmp
ext2 rw,nosuid,nodev,noexec 1 2
/dev/sda6
/home
ext2 rw,nosuid,nodev 1 2
Which means for <nosuid> do not allow set-user-identifier or set-group-identifier bits to take
effect, for <nodev> do not interpret character or block special devices on this file system partition,
and for <noexec> do not allow execution of any binaries on the mounted file system. Take a note
that we have added the rw option to the modified lines above, this is because the default options
for these lines are defaults, which means to set quota, read-write, and suid so we must add the
rw option to continue having read-write access on these modified file systems.
NOTE: For our example above, the /dev/sda11 represent our /tmp directory partition on the
system, and /dev/sda6 the /home directory partition. Of course this will be not the same for
you, depending of how you have partitioned you hard disk and what kind of disk are installed on
your system, IDE (hda, hdb, etc) or SCSI (sda, sdb, etc).
25. Move the binary RPM in a safe place or change its default permission
Once your have installed all software you need on your Linux server with the RPM command, its
a good idea for better security to move it in a safe place like floppy disk or other safe place of
your choice. With this method if some one accesses your server and has the intention to install
evil software with RPM command, he shouldnt be able. Of course if in the future you want to
install or upgrade to new software via RPM all you have to do is to replace the RPM binary to his
original directory again.
·
To move RPM binary on the floppy disk, use the command: