Re: read-only file systems

From: Silvex Security Team (
Date: 09/11/01

From: Silvex Security Team <>
Message-Id: <>
Subject: Re: read-only file systems
To: (Heather Flanagan)
Date: Tue, 11 Sep 2001 01:20:36 -0700 (PDT)

On 'touchy' solaris/linux systems (firewalls, servers) I always have

/ rw,suid
/usr ro,suid
/var rw,nosuid (noexec on linux)
/usr/local/bin ro,suid
/opt ro,suid
/tmp rw,nosuid (noexec on linux)
/home rw,nosuid (noexec on linux)

> I know /usr can be comfortably turned in to a read-only file system for
> particularly hardened systems - or at least I can't think of any reason why
> not. Can the same be done with / on Solaris 8?
> -heather f.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Heather Flanagan, GSEC UNIX Systems Administrator
> Reciprocal, Inc. (919) 462-4642

Relevant Pages

  • Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
    ... > McAffee A/V software wouldn't detect a worm in time to do any good. ... > noexec, and if you're really paranoid, mount /home noexec also. ... > pretty much kills any propagation vector for viruses. ... we've got the "Linux isn't 100% immune so Linux users should ...
  • Re: /tmp permissions
    ... Quoting dick hoogendijk: ... That should probably be on linux, because on my fbsd-6.1 box it's "rw" ... Most "kiddie scripts" will attempt to run items out of /tmp, by adding noexec you prevent items from executing out of the applied directory. ...