4.10. 正确的挂接分区

When mounting an Ext file system (ext2, ext3 or ext4), there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition:

  1.   /dev/hda7    /tmp    ext2    defaults,nosuid,noexec,nodev    0    2

You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it:

  • only applies to ext2 or ext3 file systems

  • 很容易绕过

The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:

  1.   alex@joker:/tmp# mount | grep tmp
  2.   /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
  3.   alex@joker:/tmp# ./date
  4.   bash: ./date: Permission denied
  5.   alex@joker:/tmp# /lib/ld-linux.so.2 ./date
  6.   Sun Dec  3 17:49:23 CET 2000

Newer versions of the kernel do however handle the noexec flag properly:

  1.   angrist:/tmp# mount | grep /tmp
  2.   /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
  3.   angrist:/tmp# ./date
  4.   bash: ./tmp: Permission denied 
  5.   angrist:/tmp# /lib/ld-linux.so.2 ./date 
  6.   ./date: error while loading shared libraries: ./date: failed to map segment 
  7.   from shared object: Operation not permitted

However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.

Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see http://bugs.debian.org/116448.

下边是一个更加详尽的例子. 注意, 虽然: /var 可以被设为 noexec, 但一些软件[15]把它们的程序存放在 /var 目录下. nosuid 选项也是一样.

  1. /dev/sda6   /usr          ext3    defaults,ro,nodev       0       2
  2. /dev/sda12  /usr/share    ext3    defaults,ro,nodev,nosuid        0       2
  3. /dev/sda7   /var          ext3    defaults,nodev,usrquota,grpquota 0      2
  4. /dev/sda8   /tmp          ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2
  5. /dev/sda9   /var/tmp      ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2
  6. /dev/sda10  /var/log      ext3    defaults,nodev,nosuid,noexec    0       2
  7. /dev/sda11  /var/account  ext3    defaults,nodev,nosuid,noexec    0       2
  8. /dev/sda13  /home         ext3    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2
  9. /dev/fd0    /mnt/fd0      ext3    defaults,users,nodev,nosuid,noexec      0       0
  10. /dev/fd0    /mnt/floppy   vfat    defaults,users,nodev,nosuid,noexec      0       0
  11. /dev/hda    /mnt/cdrom    iso9660 ro,users,nodev,nosuid,noexec            0       0

4.10.1. 将 /tmp 设为 noexec

Be careful if setting /tmp noexec when you want to install new software, since some programs might use it for installation. apt is one such program (see http://bugs.debian.org/116448) if not configured properly APT::ExtractTemplates::TempDir (see apt-extracttemplates(1)). You can set this variable in /etc/apt/apt.conf to another directory with exec privileges other than /tmp.

4.10.2. 设置 /usr 为只读

If you set /usr read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.

修改 /etc/apt/apt.conf 并加入:

  1.   DPkg
  2.   {
  3.       Pre-Invoke  { "mount /usr -o remount,rw" };
  4.       Post-Invoke { "mount /usr -o remount,ro" };
  5.   };

Note that the Post-Invoke may fail with a “/usr busy” error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running

  1. # lsof +L1

Stop or restart these programs and run the Post-Invoke manually. Beware! This means you’ll likely need to restart your X session (if you’re running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system. See also this discussion on debian-devel about read-only.

[15] 这包括软件包管理工具 dpkg 因为安装 (post,pre) 和删除 (post,pre) 脚本在 /var/lib/dpkg/ 下 和 Smartlist