Arch Linux

milomouse

Member

Registered: 2009-03-24

Posts: 940

Website

Advice on fstab entries with security in mind

Security is very important to me and I've been going through a checklist of measures I should be implementing and securing the fstab entries just happens to be one of them. I've read over the Wiki on fstab and have been Googling for the past few hours trying to find what options (etc) I should be passing to each specific partition. So.. Currently, my fstab looks like this:

## /etc/fstab: static file system information
## Last: 2009-11-23 19:12:43.735152644

# <file system>        <dir>         <type>    <options>          <dump> <pass>
none                   /dev/pts      devpts    defaults            0      0
none                   /dev/shm      tmpfs     defaults            0      0

/dev/mapper/home /home ext4 defaults 0 1
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/tmp /tmp reiserfs defaults 0 1
/dev/mapper/var /var reiserfs defaults 0 1
/dev/sda1 /boot ext2 defaults 0 1

Yes, 'Defaults' so far, as my system is relatively fresh (note the timestamp above; this was during Install process). All except /boot (/dev/sda1) partition are encrypted; the filesystem is noted next to each one. My main objective is to tighten permissions and attempt to thwart/disable most attackers from being able to do anything useful once my partitions are mounted. Also, I like being aware of what my system is mounted as and what it's doing.

(As far as pre-mount: the partitions are already encrypted, each [variably] having passwords over 32 chars in length; also needing one to pass LiLo if altered kernel command-line options are attempted, and ultimately the log-in as a user [whose passwords are also varying in length above 32 chars.])

Even with all the reading I've been doing I'm still uncertain as what to pass to each partition, and why, although I have some small understanding of each option. I try not using 'Defaults' in case these change in the future (for whatever reason) With this in mind, I've come up with this proposal for now:

# <file system>        <dir>         <type>    <options>                            <dump> <pass>
none                   /dev/pts      devpts    rw,dev,nosuid,noexec,relatime          0 0
none                   /dev/shm      tmpfs     rw,nodev,nosuid,relatime            0 0

/dev/mapper/home       /home         ext4      rw,nodev,nosuid,async,nodiratime,noatime    0 1
/dev/mapper/root       /             ext4      defaults,relatime    0 1
/dev/mapper/swap       swap          swap      rw,nodev,nosuid,noexec,async,relatime    0 0
/dev/mapper/tmp        /tmp          reiserfs  rw,nodev,nosuid,noexec,async,relatime    0 1
/dev/mapper/var        /var          reiserfs  rw,nodev,nosuid,noexec,async,relatime    0 1
/dev/sda1              /boot         ext2      ro,nosuid,nodev    0 1

As you've noticed, I'm not sure what to use for /root partition, it's basically defaults with added relatime. Any advice on the root partition in particular is appreciated.

1. Having /boot mounted as read-only; I only need to edit when I want to update kernel or change boot parameters, in which case I'll manually re-mount as read-write and do my changes, updating whatever, and then remounting as read-only again. AFAIK, only updating kernel/running mkinitcpio, running LiLo, or editing whatever config file exists on the /boot partition is when it needs to be read-write.  Am I wrong in this?

2. I've noticed some people have "umask" or "mode" and "gid" set. I'm not entirely should the difference between "umask" and "mode" is, or what "gid" is specifically. I believe the "mode" is read-write permissions, and that's how files are written to that mount-point/partition? If so, should I implement this for any-one in specific, like /tmp or /var? I don't want to have a mount-point set at something like 755 or 777 if it doesn't need to be.

3. Total newbie question: Am I able to mount a folder from an encrypted partition differently than the parent partition? Example: My /var is encrypted and mounted as /dev/mapper/var and I pass certain options to it (as above); am I able to mount /var/tmp as well?, with different options? Or will this conflict with the encrypted /dev/mapper/var?

Again, I'm not the smartest cat of the bunch but I'm working at the best of my knowledge. Thanks for those willing to take the time and read over this.

EDIT: removed some options.

Last edited by milomouse (2009-12-07 12:31:01)

new2arch

Member

Registered: 2008-02-25

Posts: 235

Re: Advice on fstab entries with security in mind

I'm not the smartest guy either but I can say mounting /boot partition as 'read only' works well, but as you've mentioned, you have to mount it writable when you do certain updates.

I'm not sure what you want to accomplish with 'nouser'?

Last edited by new2arch (2009-12-07 10:07:48)

milomouse

Member

Registered: 2009-03-24

Posts: 940

Website

Re: Advice on fstab entries with security in mind

Hey, thanks for the input. I was thinking the whole read-only would work for /boot but wanted a second opinion.

Well, the Wiki says that 'nouser' only allows root to mount it. I guess this is the case anyway? It says it's default so I'm thinking that it's implied and therefore pointless to add to the options. I just noticed a few people appending the line to theirs, but they were on distros like Gentoo, so I'm not sure if it's default for them or not, or maybe it is and they're just adding redundancy. Hmm!

new2arch

Member

Registered: 2008-02-25

Posts: 235

Re: Advice on fstab entries with security in mind

Hey, thanks for the input. I was thinking the whole read-only would work for /boot but wanted a second opinion.

Well, the Wiki says that 'nouser' only allows root to mount it. I guess this is the case anyway? It says it's default so I'm thinking that it's implied and therefore pointless to add to the options. I just noticed a few people appending the line to theirs, but they were on distros like Gentoo, so I'm not sure if it's default for them or not, or maybe it is and they're just adding redundancy. Hmm!

Only root and system can mount partitions unless others are mentioned in fstab, as far as I know.
I'm sure you won't try it, but don't get too excited and mount / as read only - it will render your system unbootable. I've learned it the hard way. ^^
/usr can be created as a separate partition and mounted ro, but in Arch it tends to become an annoyance since there are new packages to update more or less every day.

denton

Member

Registered: 2009-12-05

Posts: 13

Re: Advice on fstab entries with security in mind

nouser and exec are default options, so no need to state those. Same goes for dev, suid, etc.

Also, I'm not sure about using nodev on /dev/pts. By deduction, I'm almost certain that /dev and all its directories contain device nodes (except shm, of course).

My fstab:

none                   /dev/pts      devpts    noexec,nosuid                                                    0 0
none                   /dev/shm      tmpfs     noexec,nosuid,nodev                                              0 0

/dev/sda1              /boot         ext4      noexec,nosuid,nodev                                              0 1
/dev/sda5              /var          ext4      noexec,nosuid,nodev,usrjquota=aquota.user,jqfmt=vfsv0            0 1
/dev/sda6              /mnt/prg      ext4      nodev                                                            0 1
/dev/sda7              /             ext4      defaults                                                         0 1
/dev/sda8              /home         ext4      nosuid,nodev                                                     0 1
/dev/sda9              swap          swap      defaults                                                         0 0

Instead of stating errors=remount-ro here, you can alter this setting with tune2fs. This has the advantage that the error behaviour will be applied whenever and wherever the fs is mounted.

Oh, and /mnt/prg contains /usr and /opt.

Last edited by denton (2009-12-07 12:20:32)

milomouse

Member

Registered: 2009-03-24

Posts: 940

Website

Re: Advice on fstab entries with security in mind

@new2arch:
Yeah, I read a Arch post about mounting /root as read-only and it didn't work out too well for them either. They linked to some SUSE page about mounting as read-only so I guess it's different for them. I didn't really read that article as it didn't apply to me, and like you said; I write to the /root partition basically everyday I'm using Arch, what with the updates and everything.

@denton:
Good, good. More stuff to eliminate from the option lines. I thought there was a little redundancy going on there but wanted to state them anyway for clarity purposes so I, myself, know what's going on. I guess I won't add them when I write to the actual fstab file though, to save on [albeit, a minute amount] of size.

Again, I keep reading examples from all over the place so I get a little boggled. I was actually very curious about this part: nodev on /dev/pts, as it didn't seem to make sense. I'm glad someone pointed that out before I actually committed anything.

EDIT: ah, edit!
@denton:

Hey, thanks for posting your fstab. You have me wondering; what's this bit about:
usrjquota=aquota.user,jqfmt=vfsv0

I don't recall reading about that. I remember seeing the word "quota" on one website but it just said "or you can set a quota for users.." but it didn't elaborate and I figured it was for file-write size or something.

Last edited by milomouse (2009-12-07 12:22:22)

denton

Member

Registered: 2009-12-05

Posts: 13

Re: Advice on fstab entries with security in mind

^ that's for user quotas.

I use it on /var because polipo is too dumb to know how big its cache is getting.

Edit: it also enables journaled quota.

Last edited by denton (2009-12-07 12:27:41)

milomouse

Member

Registered: 2009-03-24

Posts: 940

Website

Re: Advice on fstab entries with security in mind

Alright, thanks. I'll do a little digging and see if I need to set it for any reason. (don't use polipo here but I may use something else that needs it!)