Mount options

[pfeingerhein]

Should I use mount options to help prevent intruders from further escalating a compromise ?

[homer]

yes, mount options can be used to prevent files from being interpreted as device nodes, to disallow binaries from being executed, and to disallow the SUID bit from taking affect (by using the nodev , noexec, and nosuid flags). Filesystems can also be mounted read-only with the ro option.

[vtechguy]

Quote:

Originally Posted by pfeingerhein

Should I use mount options to help prevent intruders from further escalating a compromise ?

By carefully considering your requirements and dividing up your storage into multiple filesystems, you can utilize mount options to increase the work that an attacker will have to do in order to further compromise your system. A quick way to do this is to first categorize your directory tree into areas that need write access for the system to function and those that don't. You should consider using the read-only flag on any part of the filesystem where the contents do not change regularly.

[homer]

Obviously, many directories (such as /home) will need to be mounted as read-write. However, it is unlikely that users on an average multiuser system will need to run SUID binaries or create device files within their home directories. Therefore, a separate filesystem, mounted with the nodev and nosuid options, could be created to house the users' home directories. In addition, if you've determined that your users will not need to execute programs stored in their home directories, you can use the noexec mount option as well.

[crash]

All I can say (not beening very educated) why wouldn't you use it?

[Trojanfan]

not sure, someone should explain it further

[kiz9999]

I agree with crash if it isn't going to cause that much inconvience why not enable it.

[forumowner]

i think it would be wise to mount options for security. i already am also.