On Tue, Mar 4, 2008 at 11:14 AM, Ed Brown <[EMAIL PROTECTED]> wrote: > Speaking of the NSA guide, another recommendation (besides "remove > unnecessary software") is this: > > (from http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf) > --------------------------------------------------------------- > 2.2.1.1 Add nodev Option to Non-Root Local Partitions > Edit the file /etc/fstab. The important columns for purposes of this > section are column 2 (mount point), column 3 (filesystem type), and > column 4 (mount options). For any line which satisfies all of the > conditions: > ˆ The filesystem type is ext2 or ext3 > ˆ The mount point is not / > add the text ",nodev" to the list of mount options in column 4. > -------------------------------------------------------------- > > Of course the "list of mount options" in RHEL5 defaults to "defaults", > which according to the man page is: rw, suid, dev, exec, auto, nouser, > and async. > > So, what is the effect of appending 'nodev' to 'defaults', since it > includes 'dev'? Does last-stated option win, or does the list need to > be spelled out if any of the defaults are to be changed? > > Besides chroot situations, where else does it NOT make sense to use > 'nodev' for non-root partitions? >
When I was doing this a long time ago.. the only place I found it a problem was certain 3rd party software that creates its own 'private' device when it ran. This was because it was used to running as root and doing whatever it wanted.. finding the corner case took a while since its logging was less than useful. The solution was to put it on its own partition and drop the nodev. Depending on the partition I also add the following rules: nosuid,nodev,noexec,nouser (usually in /tmp on a webserver..) -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ rhelv5-beta-list mailing list rhelv5-beta-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-beta-list
