Separation of the operating system files from user files may result in a more secure system. ideally the following filesystems should be mounted on separate partitions:
- /usr
- /home
- /var and /var/tmp
- /tmp
I also suggest separate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:
- noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
- nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
- nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5 (www server root directory):
/dev/sda5 /srv/www/htdocs ext3 defaults,nosuid,nodev,noexec 1 2
No comments:
Post a Comment