Securing Linux file systems that don’t contain executables

Linux comes with a slew of mount options, several of which are useful for locking down what can and can’t happen inside a file system. Three options I find super useful are noexec, nosuid and nodev. The noexec option disables execution for files that reside within a file system, nosuid disables execution of setuid executables inside a file system, and the nodev option instructs the file system not to interpret character or block special files. These options make a lot of sense for file systems such as /tmp, /home and /var, since these file systems typically don’t need to contain executables or device files. To set these options for ext3 file systems, you can add the options to the fourth field in /etc/fstab. Here is an example for /tmp:

/dev/sda4 /tmp ext3 noatime,nodev,noexec,nosuid 1 2

While not the holy grail of security, this small change can enhance security by forcing executables to live in well known locations. In a follow up post, I’ll describe how selinux can assist with limiting what well known executables can do.

2 thoughts on “Securing Linux file systems that don’t contain executables”

  1. Yeah, that’s a good point. I can’t understand why this simple stuff’s lying around unattended. Take OpenBSD as an example, their new installer comes with some autopartitioning magic that already sets some sane mount options.

Leave a Reply

Your email address will not be published. Required fields are marked *