---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 52 session required      /lib/security/pam_limits.so #session optional        /lib/security/pam_console.so 24. More control on mounting a file system You can have more control on mounting a file system like “/home” and “/tmp” partitions with some nifty options like noexec, nodev, and nosuid. This can be setup in the “/etc/fstab” text file. The fstab file contains descriptive information about the various file systems mount options; each line addresses one file system. Information related to security options in the fstab text file are: defaults  Allow everything (quota, read-write, and suid) on this partition. noquota Do not set users quotas on this partition. nosuid Do not set SUID/SGID access on this partition. nodev Do not set character or special devices access on this partition. noexec Do not set execution of any binaries on this partition. quota Allow users quotas on this partition. ro Allow read-only on this partition. rw Allow read-write on this partition. suid   Allow SUID/SGID access on this partition. NOTE: For more information on options that you can set in this file (fstab), see the man pages about mount (8). Edit the fstab file (vi /etc/fstab) and change depending of your needs: /dev/sda11 /tmp   ext2   defaults        1 2  /dev/sda6   /home ext2   defaults        1 2  To read: /dev/sda11   /tmp   ext2 rw,nosuid,nodev,noexec 1 2 /dev/sda6   /home   ext2 rw,nosuid,nodev 1 2 Which means for <nosuid> do not allow set-user-identifier or set-group-identifier bits to take effect, for <nodev> do not interpret character or block special devices on this file system partition, and for <noexec> do not allow execution of any binaries on the mounted file system. Take a note that we have added the “rw” option to the modified lines above, this is because the default options for these lines are “defaults, which means to set quota, read-write, and suid” so we must add the “rw” option to continue having read-write access on these modified file systems. NOTE: For our example above, the “/dev/sda11” represent our “/tmp” directory partition on the system, and “/dev/sda6” the “/home” directory partition. Of course this will be not the same for you, depending of how you have partitioned you hard disk and what kind of disk are installed on your system, IDE (hda, hdb, etc) or SCSI (sda, sdb, etc). 25.   Move the binary RPM in a safe place or change its default permission Once your have installed all software you need on your Linux server with the RPM command, it’s a good idea for better security to move it in a safe place like floppy disk or other safe place of your choice. With this method if some one accesses your server and has the intention to install evil software with RPM command, he shouldn’t be able. Of course if in the future you want to install or upgrade to new software via RPM all you have to do is to replace the RPM binary to his original directory again. · To move RPM binary on the floppy disk, use the command: