home | list info | list archive | date index | thread index

[OCLUG-Tech] Thoughts on restrictive partitioning

  • Subject: [OCLUG-Tech] Thoughts on restrictive partitioning
  • From: David Shleifman <dimi3us [ at ] yahoo [ dot ] com>
  • Date: Fri, 25 Mar 2016 19:46:33 +0000 (UTC)
  Introduction
  ============


I am running Linux workstation for about a decade.   Recently, I paid attention that certain parts of the filesystem hierarchy could be carved up to facilitate the restrictive partitioning.  For instance (excerpt from http://www.oclug.on.ca/archives/linux/2005-August/000276.html): 

/                   rw
/usr             ro,nodev
/usr/local rw,nosuid,nodev
/home           rw,nosuid,nodev
/ext1-1       rw,noexec,nosuid,nodev
/var/exec   rw,nosuid,nodev
/var            rw,noexec,nosuid,nodev


  Access Control List

  ===================


I am aware that the file system maintains the Access Control List (ACL) for every object like file, directory, or device.  In short, the aforesaid mount options override the ACL entries.  For instance:
  $ getfacl -t some_file
  # file: some_file
  USER   some_user   rwx
  GROUP  some_group  r-x
  other              r--

After the partition (on which 'some_file' resides) is mounted with 'ro' option, the 'ro' option overrides the 'w' permission, which renders 'some_file' as being a non-writable file for any user.



  Questions

  =========


One may continue to carve up partitions to the point where restrictive mount options such as ro, noexec, nosuid, nodev are fine tuned.  My big questions are:
  1. Why override ACL entries?  Aren't ACL entries good enough to fine
     tune the restrictions?


  2. How far to go with the restrictive partitioning?   I feel that at
     some point, carving up more partitions just increases complexity
     of the filesystem hierarchy without providing any additional
     benefits.


  Goals
  =====
A. First and foremost, minimize harm caused by the inadvertent actions 

   conducted by a user or an administrator.

B. Secondly, if the restrictive partitioning improves the system resilience against malware/viruses, then it is a good bonus.



  Assumptions
  ===========


Please, address the aforesaid questions under the following assumptions:

a) All incoming network services on this workstation are closed.


b) the administrator can effortlessly carve up as many logical volumes as 

   needed (preferable to stay below two dozens).


c) the administrator doesn't need to worry about physical size of each 

   individual volume (similar to LVM)


d) the administrator can easily remount volume to change temporarily
   its mount restrictions.  For instance, partition mounted 'ro', can be
   easily remounted 'rw' for some maintenance action, and then remounted
   with 'ro'.



  Concerns

  ========


nodev
-----

As a user, I tried to create a character device.  Linux didn't allow me to run 'mknod'.  Given that user process cannot create device anyway, what "piece of mind" nodev does provide?

noexec
------

It seams that the user process will not be able to create executable files in /tmp, /dev/shm, once these are mounted with 'noexec' option.  But what about other places?  For instance, /home/$USER, or /run/user/$(id -u) ?  Given that there are alternative places where user process may create executable files, what "piece of mind" noexec does provide?

nosuid
------

It seams that the user process will not be able to elevate its privileges by invoking executable files from /tmp, /dev/shm, once these are mounted with 'nosuid' option   But what about other places?  Given that there are alternative places where user process may elevate its privileges by invoking executable files, what "piece of mind" nosuid does provide?