On Sun, Aug 07, 2005 at 11:41:10AM -0400, David F. Skoll wrote:
> One of the things I normally do is mount /tmp "noexec". This can stop
> a lot of malware that dumps files in /tmp and tries to execute them.
> It's obviously not foolproof, but it's a useful extra bit of
> hardening.
I go several steps further:
/ rw
/usr ro,nodev
/usr/local rw,nosuid,nodev
/home rw,nosuid,nodev
/ext1-1 rw,noexec,nosuid,nodev
/var/exec rw,nosuid,nodev
/var rw,noexec,nosuid,nodev
It's designed mainly for servers, but I use it on every system
regardless. It works well enough, even for things like my laptop.
I like having a read-only /usr. I remount it 'rw' for package
upgrades. I do my what I can to keep it that way even after upgrades
(lsof helps), but if it can't go back until next reboot (even if that
means years), it's no biggie.
Sometimes /usr/local can't be nosuid for local reasons. Ah well.
/ext1-1 is a remnant of an old mountpoint naming scheme I've been using
for ages, ext<d>-<n>, meaning the <n>th 'extra' partition on physical
disk <d>. In this case, I symlink /tmp and /var/tmp into it.
Sometimes I remount /ext1-1 'exec' if a (badly-written, IMO) program
needs to exec something there.
(Since it's really a system partition and not an 'extra' one, I
really ought to give it a better name.)
/var/exec is designed to hold things that actually do need execution,
like dpkg scripts, etc. I symlink into it from the appropriate places
in /var.
(The /var/exec stuff used to be stored under /ext1-1, but I
created the former when I began to realise several things were
better off just always having 'exec' instead of constantly
toggling exec on /ext1-1, e.g. for package upgrades.)
Also, I recommend 'noatime' on laptops, as it should reduce overall
hard drive usage.
I've thus far not felt the need to make a new partition for /var/log,
though I'm tempted sometimes on machines with heavier use.
As for sizes: I find an existing installation that most closely
mirrors my intended use of the new system, then base my new sizes off
it. I bump up values (or rarely, carefully shrink them) based on the
size of the new hard drive I'll be using versus my template machine:
* For a bleeding-edge all-purpose workstation, emphasis is on /usr
space. I've found installing lots of programs can eat that up
fast, and if you run out of /usr space, you're sorta screwed.
* For a typical long-term home system (without access to external
storage space), heavy emphasis goes towards /home, even at the
expense of /usr if the system will just have a lot of data
rather than programs.
* For a server, emphasis is on /var space. There will be lots of
service data, and plenty of logging as well.
Hope this helps.
Attachment:
signature.asc
Description: Digital signature