Date: Mon, 23 Jun 2003 11:45:37 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Socketd <db@traceroute.dk> Cc: hackers@freebsd.org Subject: Re: Mounting Message-ID: <Pine.NEB.3.96L.1030623114101.52424E-100000@fledge.watson.org> In-Reply-To: <20030623155627.5d0a0ad3.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 23 Jun 2003, Socketd wrote:
> Would it be possible to have this configuration and not having the
> system fail (because of lacking rights or something):
>
> /tmp and /var/tmp noexec (I know /tmp has to be execuable to make
> world)
>
> /var nosuid (what about even noexec?)
I think package installs may rely on the ability to execute install-time
pieces, but I'm not entirely sure. nosuid will probably work fine for
these, but noexec could trigger problems; try installing a few packages
under a descending ktrace. If that's not a concern (i.e., you don't
install software in the steady state), then you're probably OK.
> /var/mail noexec
nosuid would be fine here also.
> /home nosuid (again what about noexec if I don't have shell users,
> but only websites and backup's on /home?)
>
> Can nodev also be added to all above + /usr?
nodev prevents opening specfs character devices, but doesn't prevent
opening fifos or UNIX domain sockets, so is generally fine for all file
systems except /dev. The common exceptions I bump into are:
(1) If you have per-user chroots, make sure wherever their custom /dev is
isn't nodev.
(2) The linux port used to (may still) install with a null device under
/usr in the compat tree. Mounting this with nodev will break opening
/dev/null for Linux apps. I'm not sure why the null entry exists
there, and in fact we know it needs to go away since it will break
when we GC major device numbers.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030623114101.52424E-100000>