From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1F3B31381F3 for ; Wed, 24 Apr 2013 15:31:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4A3F9E0A49; Wed, 24 Apr 2013 15:31:28 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EC95AE09D8 for ; Wed, 24 Apr 2013 15:31:26 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 6A9F820B72 for ; Wed, 24 Apr 2013 11:31:26 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute1.internal (MEProxy); Wed, 24 Apr 2013 11:31:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=lAuMkBBSIAXmVJjfNt5gM/YS atc=; b=c01C8PzCQYIS7Oi0GCeeZMl6sd+6948gxFRtWL6kZmc27EUJ1GZ9LYsO Wo9MmaSd21ODPH2Si/D+3NJIhMiDxNBBRGERo2oJZCenK2rtM9RI2UsnC8mAKh53 pTDGk55Ttf1Bu34vzxHeDt8XuRhjBnm2vFtLEBJoU4SSm9F+1bw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=lAuM kBBSIAXmVJjfNt5gM/YSatc=; b=HbLycRbgdLG+hiO1uwpZYSrc6coOqfm0hOOC aQYkkE+a9+GJ8IM3yKPTwDxlGV/VQksof+yzjmu8MxjXTDs0e4r7/oQb5oPmr42n lAcFvCWMvXQhdf7Y2N28tj0iH21wr5+AwT6SkNSaIXXw/bD7l9uOp6Uott9RVUHa HTWXwFQ= X-Sasl-enc: QgpcU4R+s9oAkvbflcpqKl/xziWO185i9mDTc8z3OVjg 1366817485 Received: from [10.107.238.87] (unknown [46.115.103.238]) by mail.messagingengine.com (Postfix) with ESMTPA id 4D193C80015 for ; Wed, 24 Apr 2013 11:31:25 -0400 (EDT) Message-ID: <5177FABA.4010902@binarywings.net> Date: Wed, 24 Apr 2013 17:31:06 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130413 Thunderbird/17.0.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Partitions - last questions... References: <51769E54.2050609@libertytrek.org> <5176B81E.8000805@binarywings.net> <20130423185932.1779e970@digimed.co.uk> <5177B88D.8010908@libertytrek.org> <5177D498.5080609@binarywings.net> <5177F662.8070606@libertytrek.org> In-Reply-To: <5177F662.8070606@libertytrek.org> X-Enigmail-Version: 1.6a1pre Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2KXMMNXFCOMCQWPTFAHHM" X-Archives-Salt: bb94443d-0fbe-407a-b571-546758c23b0c X-Archives-Hash: df905937e5c4b57a3211df1a53cbf0e0 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2KXMMNXFCOMCQWPTFAHHM Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 24.04.2013 17:12, schrieb Tanstaafl: > On 2013-04-24 8:48 AM, Florian Philipp wrote: >>> One thing I'm trying to do is make the system as secure as >>> possible at the filesystem level, and I've read that making /tmp >>> and /var/tmp separate partitions so you can mount them >>> /nodev/noexec/nosuid is one way to make things a bit more >>> secure... >=20 >> noexec won't work for portage so put PORTAGE_TMPDIR somewhere else. >=20 > Ok, but - does it make sense to add the noexec option to /var/tmp? Is i= t > possible that there are other apps that need exec capability in there? >=20 It makes sense. Any world-writable directory should be noexec to make script injection harder. Other directories, too, like /var/www (if you can, i.e. no cgi). I cannot tell you if any application might need it. Try it. It is easy enough to revert, maybe even with a `mount -o remount`, I'm not sure. Also, look at http://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec >>> On that note, I realized I can't make two /tmp's in lvm, so, I guess = I >>> can make a vtmp, and just bind that to /var/tmp in fstab like: >>> >>> /dev/vg/vtmp /var/tmp ext4 nodev,noexec,nosuid 0 0 >>> >>> Will that work? >=20 >> Sure why not but you should set the pass column to 2 instead of 0. >=20 > What is the 'pass' column? Th 5th column is the 'dump' column, and the > 6th is the 'fsck' column, afaik? >=20 Okay, your "fsck" column is called "pass" in my fstab. Anyway, a value of two means "fsck after root", one means "fsck as root" and 0 "no fsck". See `man fstab`. Obviously you want fsck. Regards, Florian Philipp ------enig2KXMMNXFCOMCQWPTFAHHM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF3+r4ACgkQqs4uOUlOuU+HLQCeMz1e1G4n4XTzVhM4oMxAMNSD BOYAniCQdfhW1JI9BqZjJHegh4bsKLsE =dO0r -----END PGP SIGNATURE----- ------enig2KXMMNXFCOMCQWPTFAHHM--