Re: mounting /tmp from fstab
FWIW, here is the relevant line... =20 /dev/md0 /tmp ext2defaults 0 2 thats ok, but i would mount it defaults,nosuid for extra security. (it depends on how you partitioned if /var and /tmp and /home are there own partitions you should be able to mount them all nosuid) 1) extra security? [03:11:45 /tmp]$ man 8 mount | grep -A1 -B3 suid nosuid Do not allow set-user-identifier or set- group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.) [03:11:55 /tmp]$ 2) Is set-group-identifier the same s that I got for my home dir? [03:14:03 /tmp]$ ls -ld ~ drwxr-sr-x 27 shaulshaul2048 Feb 25 03:09 /home/shaul [03:14:05 /tmp]$ -- Shaul Karl [EMAIL PROTECTED] An elephant is a mouse with an operating system.
Re: mounting /tmp from fstab
On Thu, Feb 24, 2000 at 06:50:33PM -0500, Jonathan Lupa wrote: Thanks all, I'll just follow this advice below. Where in the boot chain should this go? Currently, I'm adding it to /etc/init.d/bootmisc.sh. hmm? the chmod is permanent, just like when you chmod any other directory on a unix like filesystem the permissions don't go away on reboot, they are permananent, same is true for /tmp (so long as its a unix like filesystem like ext2) just make sure you use permissions 1777 [EMAIL PROTECTED] eb]$ ls -ld /tmp/ drwxrwxrwt4 root root 1024 Feb 24 07:25 /tmp/ [EMAIL PROTECTED] eb]$ the 1 is the sticky bit (the t ) which prevents users from deleting files they don't own. Tertiary question - why nosuid on /var or /home? Don't some programs leave some stuff in /var (vgetty comes to mind), and shouldn't you allow users to set sticky bits on their own stuff? It doesn't make much difference on this machine since it is my desktop, but I'd like to know for future reference. :) /var is more questionable for nosuid since some (imo broken) stuff keeps suid binaries there, my system has no such packages installed there are no set[ug]id files anywhere in /var so i can mount it nosuid and not have to worry about any suid root shells being hidden away in the all too many world writable directories there. note that the s bit is NOT the sticky bit the sticky bit shows up as a t in the last character of the permissions (see /tmp) the sticky bit is only relevant on directories. normally users who have write permission to a directory may delete any file in that directory regardless of whether they own the files or have any permission to the files, that is not always desireable (/tmp and any other world writable place) setting the sticky bit changes this behaviour to only allow a user to delete a file if 1) they own it or 2) they own the directory. nosuid has no effect whatsoever on the sticky bit. Thanks again! no problem -- Ethan Benson pgpEV3xeSnJKV.pgp Description: PGP signature
Re: mounting /tmp from fstab
On Fri, Feb 25, 2000 at 03:16:42AM +0200, Shaul Karl wrote: 1) extra security? [03:11:45 /tmp]$ man 8 mount | grep -A1 -B3 suid nosuid Do not allow set-user-identifier or set- group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.) [03:11:55 /tmp]$ 2) Is set-group-identifier the same s that I got for my home dir? [03:14:03 /tmp]$ ls -ld ~ drwxr-sr-x 27 shaulshaul2048 Feb 25 03:09 /home/shaul [03:14:05 /tmp]$ no setgid on directory does not matter as far as the nosuid mount option is concerned, the setgid bit on your home dir is completely pointless though AFAICT, your primary group is shaul so everything you create will have that group anyway, its only useful when you have a shared directory with a different group, the setgid bit would ensure everything you create there has that group instead if your primary group (al la BSD) nosuid just causes the kernel to refuse to execute a binary with the set[ug]id bit set if the owner of the file does not match the user trying to execute it. does not matter for directorys since you cannot execute them. -- Ethan Benson
Re: mounting /tmp from fstab
On Wed, Feb 23, 2000 at 11:53:45PM -0500, Jonathan Lupa wrote: Hi all, I'm having what is probably a stupid problem mounting /tmp from fstab. Basicly it ends up with permisions of 755. Is there any way to control permissions of an ext2 partition via fstab? (mode=, and umask= seem to only work for other fs's). no no, just use chmod ;-) chmod 1777 /tmp after you mount the filesystem. the root directory of a filesystem is a directory like any other and has permissions and ownership/groups just like any other directory, you don't need to use any DOSfs kludges to deal with perms on it. FWIW, here is the relevant line... /dev/md0 /tmp ext2defaults 0 2 thats ok, but i would mount it defaults,nosuid for extra security. (it depends on how you partitioned if /var and /tmp and /home are there own partitions you should be able to mount them all nosuid) -- Ethan Benson pgpqMCylSrhZd.pgp Description: PGP signature
Re: mounting /tmp from fstab
adjust the permissions of /tmp (the mountpoint itself) before mounting the filesystem it should get mounted correctly. nate On Wed, 23 Feb 2000, Jonathan Lupa wrote: jjlupa Hi all, I'm having what is probably a stupid problem mounting /tmp jjlupa from fstab. Basicly it ends up with permisions of 755. jjlupa jjlupa Is there any way to control permissions of an ext2 partition via jjlupa fstab? (mode=, and umask= seem to only work for other fs's). jjlupa jjlupa FWIW, here is the relevant line... jjlupa jjlupa /dev/md0 /tmp ext2defaults 0 2 jjlupa jjlupa Thanks! jjlupa jjlupa Jonathan jjlupa -- jjlupa [EMAIL PROTECTED] jjlupa GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc jjlupa jjlupa [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 10:30pm up 188 days, 10:51, 2 users, load average: 1.45, 1.16, 1.04
Re: mounting /tmp from fstab
On Wed, Feb 23, 2000 at 10:32:27PM -0800, aphro wrote: adjust the permissions of /tmp (the mountpoint itself) before mounting the filesystem it should get mounted correctly. actually no, the permissions of the mountpoint are irrelevant as they are replaced with the permissions of the filesystem being mounted. (its root directory permission that is) [EMAIL PROTECTED] /var]# ls -ld tmp/ drwxrwxrwt5 root root 1024 Feb 23 00:55 tmp/ [EMAIL PROTECTED] /var]# mount | grep -w /var/tmp /dev/hda9 on /var/tmp type ext2 (rw,nosuid) [EMAIL PROTECTED] /var]# umount tmp/ [EMAIL PROTECTED] /var]# ls -ld tmp/ drwxr-xr-x2 root root 4096 Jan 11 20:38 tmp/ [EMAIL PROTECTED] /var]# mount tmp/ [EMAIL PROTECTED] /var]# ls -ld tmp/ drwxrwxrwt5 root root 1024 Feb 23 00:55 tmp/ [EMAIL PROTECTED] /var]# -- Ethan Benson
Re: mounting /tmp from fstab
On Wed, 23 Feb 2000, aphro wrote: adjust the permissions of /tmp (the mountpoint itself) before mounting the filesystem it should get mounted correctly. No. You need to set the permissions after the partition is mounted. I tested this by creating a directory, doing a chmod 777 on it, then using it as a mount point... ls -l showed a mode of 755, not 777. I've also chown/chmoded floppies to a specific user after they have been mounted so that whenever they are mounted in the future they are owned by that user (a good trick if you are worried that putting your pgp/gpg keyring backups on a floppy and having them fall into the wrong hands, of course it does no good if the wrong hands have root access on a linux machine). later, Bruce
Re: mounting /tmp from fstab
Thanks all, I'll just follow this advice below. Where in the boot chain should this go? Currently, I'm adding it to /etc/init.d/bootmisc.sh. Tertiary question - why nosuid on /var or /home? Don't some programs leave some stuff in /var (vgetty comes to mind), and shouldn't you allow users to set sticky bits on their own stuff? It doesn't make much difference on this machine since it is my desktop, but I'd like to know for future reference. :) Thanks again! Jonathan On Wed, Feb 23, 2000 at 08:38:01PM -0900, Ethan Benson wrote: On Wed, Feb 23, 2000 at 11:53:45PM -0500, Jonathan Lupa wrote: Hi all, I'm having what is probably a stupid problem mounting /tmp from fstab. Basicly it ends up with permisions of 755. Is there any way to control permissions of an ext2 partition via fstab? (mode=, and umask= seem to only work for other fs's). no no, just use chmod ;-) thats ok, but i would mount it defaults,nosuid for extra security. (it depends on how you partitioned if /var and /tmp and /home are there own partitions you should be able to mount them all nosuid) -- [EMAIL PROTECTED] GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc pgppVfuDvmz2E.pgp Description: PGP signature