On Mon, 2004-02-23 at 10:25, Kiko Piris wrote: > On 23/02/2004 at 07:52, Albert Cahalan wrote:
> > Nope. This is Linux, which kicks ass. On your > > single-partition Linux 2.6 system, do this: > > > > mount --bind /home /home > > mount --bind -o remount,nosuid /home /home > > Oh!, nice thing. I discovered mount -bind some days ago and I didn't > realize this utility. Very nice!. > > However, some of the servers I admin run 2.4 (and I do not plan to move > them to 2.6, so...). Everybody should run 2.6 now. :-) Here's an even better trick. Mount all your partitions with nosuid, then use file-on-file bind mounts to enable setuid on a per-executable basis. Like this: mount --bind /home/albert/su /home/albert/su mount -o remount,suid /home/albert/su /home/albert/su With that, /proc/mounts lists this single file as a mount point: /dev/root /home/albert/su ext2 rw 0 0 WARNING: this might not play nice with apt-get; you can't move or hard-link across mount points. Maybe this is a desirable "problem" though. Another neat trick would be to somehow make use of the CLONE_NEWNS flag. This isn't so easy though. You could have getty+login use it, then bind mount a user's ~/tmp over /tmp for a private /tmp. You could use it to unmount or overmount filesystems as seen from processes that are children of the web server. > > Problem solved, without the disk management issues. > > Yes, but: What if some dumb|malicious user|program fills /home ? > Or a daemon goes crazy and fills /var/log ? Doesn't the XFS filesystem offer directory quotas? I fear your concern leads to one partition per user and one partition per daemon, excepting mail service which gets many partitions for itself.
