Score:-3

Server

Hardening /home Directory via /etc/fstab

Maestro223

5/30/23, 6:08 AM

I am on Ubunto 20.04 server using a single partition at / for all directories as I am running web & mail servers. I hardened tmp , /var/tmp , & /run/shm using:

none /tmp       tmpfs nodev,noexec,nosuid 0 0
none /var/tmp   tmpfs nodev,noexec,nosuid 0 0
none /run/shm   tmpfs noexec,nosuid,nodev 0 0

I would like to add the nodev option to my /home directory without creating a whole new partition. I've added:
none /home ext4 nodev 0 0 to /etc/fstab

However, when I run mount -a for the config to effect, I get the following message: mount: /home: special device none does not exist.

Is this the expected output given my config or have done something fatally wrong? If someone can share a correct method to nodev to /home, I'd appreciate it.

thanks

Goal
I want to prevent the /home directory from being used for defining character and block special devices. Therefore, I want to set the nodev option, so that users cannot create these types of files.

154

0 + 0

linux

fstab

Bob

5/30/23, 6:47 AM

I *”think”* that your `/home` must be it’s own filesystem for you to be able to apply mount options, and that you cannot set mount options on subdirectories. - Then additionally people expect their home directory data to be persistent and you don’t create a tmpfs file system for that.

Halfgaar

5/30/23, 1:04 PM

Can you also comment on what you're trying to protect? For instance, you can still run executables, even without the executable bit on a file.

Maestro223

5/30/23, 1:12 PM

@Halfgaar, I updated my post with a "goal" section to answer your question.

djdomi

5/30/23, 4:16 PM

how should non root user be able to create block or dev devices?

Maestro223

5/30/23, 4:25 PM

@djdomi I am actually just trying to achieve the fstab hardening advice mentioned in this very thorough server hardening guide https://linoxide.com/ultimate-guide-secure-ubuntu/ using a single partition instead of multiple. This person who knows a lot more than me seems to think its a legitimate concern.

djdomi

5/30/23, 4:31 PM

fstab can be used for partions not for subfolder. Thats a fact you cant change. and you can try to login to the system and try as user to create a dev it will mostly not possible

Maestro223

5/30/23, 4:49 PM

@djdomi, I don't question your expertise. It's just that I got the first 3 fstab entries in my post to work / function as desired despite them not being separate partitions. I was simply thrown when the 4th entry for /home had strange output.

djdomi

5/30/23, 5:18 PM

the reason it works is that you use tmpfs ehich create a temporarily fs you vsn create nearly any folder with that but it will be gone after reboot. It doesnt change the requirements that /home must ve a separate partion that you can use fstab as already stated but not acceptable to your self ;)

Maestro223

5/30/23, 5:29 PM

Who said I didn't accept your explanation? If you post an official answer, I'd gladly officially accept it.. ;-) In any case, thx for the feedback, I will move to other problems.

Score:1

Server

NoBody

5/31/23, 12:14 PM

Mount options are set per file system (with the bind mount as the only "loophole" that I know of, as that uses an existing directory and mounts that as new separate file system )

A directory is NOT a partition/LVM volume/file system.

Therefor you can't use /etc/fstab or mount options on just your `/home directory.

If you have a business need for that, you'll need to migrate /home away from the root file system to its own partition/LVM volume/file system first.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Hardening /home Directory via /etc/fstab

TH: การทำให้ไดเร็กทอรี /home แข็งขึ้นผ่าน /etc/fstab

RO: Hardening /home Directory prin /etc/fstab

RU: Укрепление каталога /home через /etc/fstab

VI: Làm cứng thư mục /home qua /etc/fstab

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.