From owner-freebsd-hackers@FreeBSD.ORG  Mon Jun 23 08:45:54 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B898737B401
	for <hackers@freebsd.org>; Mon, 23 Jun 2003 08:45:54 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4ED1143FEC
	for <hackers@freebsd.org>; Mon, 23 Jun 2003 08:45:53 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h5NFjbKJ053457;
	Mon, 23 Jun 2003 11:45:37 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h5NFjbQZ053454;
	Mon, 23 Jun 2003 11:45:37 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 23 Jun 2003 11:45:37 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Socketd <db@traceroute.dk>
In-Reply-To: <20030623155627.5d0a0ad3.db@traceroute.dk>
Message-ID: <Pine.NEB.3.96L.1030623114101.52424E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: hackers@freebsd.org
Subject: Re: Mounting
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2003 15:45:55 -0000


On Mon, 23 Jun 2003, Socketd wrote:

> Would it be possible to have this configuration and not having the
> system fail (because of lacking rights or something): 
> 
> /tmp and /var/tmp 	noexec (I know /tmp has to be execuable to make
> world)
> 
> /var			nosuid (what about even noexec?)

I think package installs may rely on the ability to execute install-time
pieces, but I'm not entirely sure.  nosuid will probably work fine for
these, but noexec could trigger problems; try installing a few packages
under a descending ktrace.  If that's not a concern (i.e., you don't
install software in the steady state), then you're probably OK. 

> /var/mail		noexec

nosuid would be fine here also. 

> /home			nosuid (again what about noexec if I don't have shell users,
> but only websites and backup's on /home?)
> 
> Can nodev also be added to all above + /usr? 

nodev prevents opening specfs character devices, but doesn't prevent
opening fifos or UNIX domain sockets, so is generally fine for all file
systems except /dev.  The common exceptions I bump into are:

(1) If you have per-user chroots, make sure wherever their custom /dev is
    isn't nodev.

(2) The linux port used to (may still) install with a null device under
    /usr in the compat tree.  Mounting this with nodev will break opening
    /dev/null for Linux apps.  I'm not sure why the null entry exists
    there, and in fact we know it needs to go away since it will break
    when we GC major device numbers. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories