How do I mount /tmp on a simple partition structure?

[beansbaxter]

How do I mount /tmp and /home on a simple partition structure?

I cleared my hard drives and during the Debian 5 installation, I followed the DirectAdmin Installation instructions which suggested the following simple partition structure:

/boot 40 meg
swap 2 x memory
/ rest of drive

When I look at the "mount" command, I see the following:

[B]# mount[/B]
/dev/sda3 on / type ext3 (rw,errors=remount-ro,usrquota,grpquota)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)

Based on the output from mount, do I need to noexec,nosuid the /tmp and /home directories?

As I'm looking around after the DA install, I see that the /tmp and /home directory resides on the / partition. How do I mount /tmp and /home with noexec,nosuid in /etc/fstab?

Thanks in advance.

 

[nobaloney]

You can only mount partitions; you'd have to start over, making separate partitions for any directories on which you want to change munt options.

Or you can can create files and mount them as partitions; I believe instructions for doing this with /tmp are included in these forums.

Jeff

 

[floyd]

http://www.directadmin.com/forum/showthread.php?t=29608&page=2

 

[Dougy]

While Jeff did suggest one fix, that is certainly not recommended especially from a security standpoint.

Separate partitions are the way to go.

 

[nobaloney]

While Jeff did suggest one fix, that is certainly not recommended especially from a security standpoint.

Separate partitions are the way to go.

I do not claim to be expert on all matters security-related. However I've never seen a security alert on mounting container files as partitions. And the result is to all intents and purposes a separate partition.

Other methods of creating a separate partition are to rebuild the entire server from scratch (time-consuming), and to resize an existing partition, which could be dangerous and should be preceeded by (possibly unmounting and) backing up the partition being resized, which could also be time consuming. In some cases inattentive to detail could cause a server to crash during the resize operation, so perhaps all partitions should be backed up, even more time consuming.

I'd like to know why it's better from a security standpoint than creating a partition based on a file.

Please explain in detail, including links to explanations of security issues involved in mounting container files as partitions.

Thanks.

Jeff

 

[floyd]

While Jeff did suggest one fix, that is certainly not recommended especially from a security standpoint.

Separate partitions are the way to go.

Yes I would like to details as well.

On the other hand I believe it is a waste of time. Secure /tmp will prevent something like this from running:

/tmp/script.pl

But it will not prevent:

perl /tmp/script.pl

I have managed hundreds of servers of the last 12 years or so. I personally have never seen a instance where securing /tmp would have been useful.

And securing /tmp causes other problems. For me it has cause more problems than it fixed.

 

[Dougy]

Yes I would like to details as well.

On the other hand I believe it is a waste of time. Secure /tmp will prevent something like this from running:



But it will not prevent:



I have managed hundreds of servers of the last 12 years or so. I personally have never seen a instance where securing /tmp would have been useful.

And securing /tmp causes other problems. For me it has cause more problems than it fixed.

So, Floyd, you're saying that it's useless to secure /tmp? What happens when I upload a binary to /tmp and get root?

 

[floyd]

So, Floyd, you're saying that it's useless to secure /tmp? What happens when I upload a binary to /tmp and get root?

Maybe not completely useless but you could just as easily upload a perl script and accomplish the same thing as the binary and run the perl script despite /tmp being secured.

I am only speaking of what is more common. Go ahead and "secure" /tmp. Its not really secure though. It only prevents a binary from running though.

Getting root from either a binary or a perl script is a whole other matter.