I am running Linux workstation for more than 10 years. Up until now, I didn't pay attention on the mount options of the partitions that the filesystem hierarchy is composed of.
Recently, I came across recommendations published by the
Centre for Internet Security. I realized that I don't understand the rationale for their recommendations. I tried in vain to plough through this aspect by reading
protective partitioning.
My objective is to come up with the permission scheme that:
- first and foremost, minimizes harm caused by the inadvertent actions conducted by a user or an administrator
- secondly, makes the life of malware/virus somewhat more miserable
My assumptions are:
- the administrator can effortlessly carve up as many logical volumes as needed (preferable to stay below two dozens).
- the administrator doesn't need to worry about physical size of each individual volume (similar to LVM)
- the administrator can easily remount volume to change temporarily its mount permissions
I am going to write down below what I have learnt. It would be nice to receive a review feedback.
1. nodev mount option
Recommendation:
Quote:
nodev shall not be set on the /dev mounting point. Ideally, it should be set everywhere else. At least, set it on /tmp, /home.
|
What is the use case for this recommendation?
As a user, I tried to create a character device. Linux didn't allow me to run
mknod. Given that user process cannot create device anyway, what "piece of mind" nodev does provide?
2. noexec mount option
Recommendation:
Quote:
noexec shall not be set on /opt, /root, /usr, /srv mounting points. Ideally, it should be set everywhere else. At least, set it on /tmp, /dev/shm.
|
What is the use case for this recommendation?
It seams that the user process will not be able to create executable files in /tmp, /dev/shm? But what about other places? For instance, /home/$USER, or /run/user/$(id -u) ?
Given that there are alternative places where user process may create executable files, what "piece of mind" does noexec provide?
3. nosuid mount option
Recommendation:
Quote:
nosuid shall not be set on /opt, /root, /usr mounting points. Ideally, it should be set everywhere else. At least, set it on /tmp, /dev/shm.
|
What is the use case for this recommendation?
It seams that the user process will not be able to elevate its privileges by invoking executable files from /tmp, /dev/shm? But what about other places? Given that there are alternative places where user process may elevate its privileges by invoking executable files, what "piece of mind" does nosuid provide?
I forgot to mention that the workstation is connected to the LAN, so that other LAN users may log in using ssh service.