HPE Community
Operating System - HP-UX
1754393 Members
2850 Online
108813 Solutions
New Discussion юеВ

/etc/fstab & nosuid

 
SOLVED
Go to solution
Tim O'Connell
Regular Advisor

тАО03-12-2004 12:00 AM

тАО03-12-2004 12:00 AM

/etc/fstab & nosuid

I am currently "hardening" my HPUX11 server and one of the recommendations is to prevent programs with the SUID bit set being run in certain partitions (Obviously I won't remove it from root, tmp etc).One of my current vfstab entries looks like:
/dev/vg01/lvol5 /u05 vxfs delaylog 0 2

Can I simply replace delaylog with nosuid & unmount & mount or do I need to leave delaylog,nosuid there or is there a better way.

Rgds,

Tim

0 Kudos
Reply
5 REPLIES 5
Mark Grant
Honored Contributor

тАО03-12-2004 12:01 AM

тАО03-12-2004 12:01 AM

Solution

Re: /etc/fstab & nosuid

I'd leave the delaylog there myself. Otherwise, yes, just remount it with the new options.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
G. Vrijhoeven
Honored Contributor

тАО03-12-2004 12:27 AM

тАО03-12-2004 12:27 AM

Re: /etc/fstab & nosuid

Hi Tim,

First I would not include / some commands need the suid bits.
Otherwise leave deleylog and add ,nosuid this works.
You can remount all filesystems online e.g.:

mount -o remount,nosuid /tmp

HTH,

Gideon
Reply
Bill Hassell
Honored Contributor

тАО03-12-2004 01:39 AM

тАО03-12-2004 01:39 AM

Re: /etc/fstab & nosuid

nosuid should be on *EVERY* mountpoint except / /usr /opt. That is especially true for /tmp, /var and /home as these are directories where users have write privileges. This is also important for database directories which should never have executables. I would also look carefully at database mountpoints that have wide open (777) permissions as this is not only a security risk (anyone can read the raw data) but anyone can trash the data.


Bill Hassell, sysadmin
Reply
Tim O'Connell
Regular Advisor

тАО03-12-2004 01:47 AM

тАО03-12-2004 01:47 AM

Re: /etc/fstab & nosuid

Thanks for the help. Points awarded

Rgds,

Tim
0 Kudos
Reply
Doug Burton
Respected Contributor

тАО03-12-2004 05:32 AM

тАО03-12-2004 05:32 AM

Re: /etc/fstab & nosuid

Here's (basically) what we use...
/dev/vg00/lvol3 / vxfs defaults 0 1
/dev/vg00/lvol1 /stand hfs defaults,nosuid 0 1
/dev/vg00/lvol5 /home vxfs defaults,nosuid 0 2
/dev/vg00/lvol6 /opt vxfs defaults 0 2
/dev/vg00/lvol7 /tmp vxfs defaults,nosuid 0 2
/dev/vg00/lvol8 /usr vxfs defaults 0 2
/dev/vg00/lvol4 /var vxfs defaults,nosuid 0 2
/dev/vg00/lvol9 /var/adm/crash vxfs delaylog,nosuid 0 2
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.