-2

I am on Ubunto 20.04 server using a single partition at / for all directories as I am running web & mail servers. I hardened tmp , /var/tmp , & /run/shm using:

none /tmp       tmpfs nodev,noexec,nosuid 0 0
none /var/tmp   tmpfs nodev,noexec,nosuid 0 0
none /run/shm   tmpfs noexec,nosuid,nodev 0 0

I would like to add the nodev option to my /home directory without creating a whole new partition. I've added:
none /home ext4 nodev 0 0 to /etc/fstab

However, when I run mount -a for the config to effect, I get the following message: mount: /home: special device none does not exist.

Is this the expected output given my config or have done something fatally wrong? If someone can share a correct method to nodev to /home, I'd appreciate it.

thanks

Goal
I want to prevent the /home directory from being used for defining character and block special devices. Therefore, I want to set the nodev option, so that users cannot create these types of files.

Paul
  • 2,755
  • 6
  • 24
  • 35
Maestro223
  • 163
  • 1
  • 9
  • 1
    I *”think”* that your `/home` must be it’s own filesystem for you to be able to apply mount options, and that you cannot set mount options on subdirectories. - Then additionally people expect their home directory data to be persistent and you don’t create a tmpfs file system for that. – Bob Jan 30 '22 at 06:47
  • Can you also comment on what you're trying to protect? For instance, you can still run executables, even without the executable bit on a file. – Halfgaar Jan 30 '22 at 13:04
  • @Halfgaar, I updated my post with a "goal" section to answer your question. – Maestro223 Jan 30 '22 at 13:12
  • how should non root user be able to create block or dev devices? – djdomi Jan 30 '22 at 16:16
  • @djdomi I am actually just trying to achieve the fstab hardening advice mentioned in this very thorough server hardening guide https://linoxide.com/ultimate-guide-secure-ubuntu/ using a single partition instead of multiple. This person who knows a lot more than me seems to think its a legitimate concern. – Maestro223 Jan 30 '22 at 16:25
  • 1
    fstab can be used for partions not for subfolder. Thats a fact you cant change. and you can try to login to the system and try as user to create a dev it will mostly not possible – djdomi Jan 30 '22 at 16:31
  • @djdomi, I don't question your expertise. It's just that I got the first 3 fstab entries in my post to work / function as desired despite them not being separate partitions. I was simply thrown when the 4th entry for /home had strange output. – Maestro223 Jan 30 '22 at 16:49
  • 1
    the reason it works is that you use tmpfs ehich create a temporarily fs you vsn create nearly any folder with that but it will be gone after reboot. It doesnt change the requirements that /home must ve a separate partion that you can use fstab as already stated but not acceptable to your self ;) – djdomi Jan 30 '22 at 17:18
  • Who said I didn't accept your explanation? If you post an official answer, I'd gladly officially accept it.. ;-) In any case, thx for the feedback, I will move to other problems. – Maestro223 Jan 30 '22 at 17:29

1 Answers1

1

Mount options are set per file system (with the bind mount as the only "loophole" that I know of, as that uses an existing directory and mounts that as new separate file system )

A directory is NOT a partition/LVM volume/file system.

Therefor you can't use /etc/fstab or mount options on just your `/home directory.

If you have a business need for that, you'll need to migrate /home away from the root file system to its own partition/LVM volume/file system first.

NoBody
  • 26
  • 1