Resource limits

More control on mounting a file system
You can have more control on mounting a file system like “/home” and 7tmp” partitions with some nifty options like noexec, nodev, and nosuid. This can be setup in the 7etc/fstab” text file. The fstab file contains descriptive information about the various file systems mount options; each line addresses one file system.
Information related to security options in the fstab text file are:
defaults Allow everything (quota, read-write, and suid) on this partition,
noquota Do not set users quotas on this partition.
nosuid Do not set SUID/SGID access on this partition.
nodev Do not set character or special devices access on this partition.
noexec Do not set execution of any binaries on this partition.
quota Allow users quotas on this partition.
ro Allow read-only on this partition.
rw Allow read-write on this partition.
suid Allow SUID/SGID access on this partition.
NOTE: For more information on options that you can set in this file (fstab), see the man pages about mount (8).
Edit the fstab file (vi /etc/fstab) and change it depending on your needs. For example:
/dev/sda11 /tmp ext2 defaults 1 2
/dev/sda6 /home ext2 defaults 1 2
To read:
/dev/sda11 /tmp ext2 defaults,rw,nosuid,nodev,noexec 1 2
/dev/sda6 /home ext2 defaults,rw,nosuid,nodev 1 2
Meaning, <nosuid>, do not allow set-user-identifier or set-group-identifier bits to take effect, <nodev>, do not interpret character or block special devices on this file system partition, and <noexec>, do not allow execution of any binaries on the mounted file system. Take a note that we have added the “rw” option to the modified lines above. This is because the default options for these lines are defaults, which means to set quota, read-write, and suid, so we must add the “rw” option to continue having read-write access on these modified file systems.
NOTE: For our example above, the 7dev/sda11″ represent our 7tmp” directory partition on the system, and 7dev/sda6″ the “/home” directory partition. Of course this will be not the same for you, depending on how you have partitioned your hard disk and what kind of disks are installed on your system, IDE (hda, hdb, etc) or SCSI (sda, sdb, etc).
Move the binary RPM in a safe place or change its default permission
Once you have installed all the software that you need on your Linux server with the RPM command, it’s a good idea for better security to move it to a safe place like a floppy disk or other safe place of your choice. With this method if some one accesses your server and has the intention to install evil software with RPM command, he shouldn’t be able. Of course, if in the future you want to install or upgrade new software via RPM, all you have to do is to replace the RPM binary to its original directory again.
• To move the RPM binary on the floppy disk, use the command:
[root@deep /]# mount /dev/fdO /mnt/floppy/
[root@deep /]# mv /bin/rpm /mnt/floppy/ [root@deep /]# umount /mnt/floppy
NOTE: Never uninstall the RPM program completely from your system or you will be unable to reinstall it again later, since to install RPM or other software you need to have RPM commands available.
One more thing you can do is change the default permission of the “rpm” command from 755 to 700. With this modification, non-root users can’t use the “rpm” program to query, install etc; in case you forget to move it to a safe place after installation of new programs.
• To change the default permission of 7bin/rpm”, use the command:
[root@deep /]# chmod 700 /bin/rpm

Страниц: 1 2