strange software installation problem
Keith Mastin
kmastin-PzQIwG9Jn9VAFePFGvp55w at public.gmane.org
Tue Jan 13 20:53:44 UTC 2004
> Is it a good idea to add something like "exec" into the /etc/fstab? Are
> there many viruses spread by cdrom?
Messing with fstab should, IMHO, be done with a lot of thought about
system usage and accessibility.
You can set up the cdrom and floppy drives to allow only root access. To
tighten a box down a bit more than the defaults, you can also set /home
and /tmp to noexec, /var to noexec,nosuid, /usr to nosuid and /boot to not
be mounted at all. I generally set up servers to allow only one non-root
user login via ssh (su to root only for that one user), limited number of
secure ttys and a tightened down fstab for starters.
On a multiuser system, setting /home to noexec is a non-practical PITA for
the users, but on a publically accessible server limiting $USRERHOMES can
save a lot of headaches. Desktops, well... I consider them to be insecure
anyway, so I don't automate any login or connection functions to an
otherwise more secure server.
Again, every system is different in design and function, and a general "do
this or that" (with the sole exception of update regularily and
immediately after advisories are posted) can fubar usage and contribute
greatly to loss of hair and grey matter. Best to get a couple good books
on the subject and devise your own security policies if system security is
a concern.
--
Keith Mastin
(416)429 9304
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list