10
2
I am using Fedora Core. I am to create a partition /data where users post some data (all have r+w permissions). Hence, for security purposes, I have to make it non-executable.
I understand from Linux security that noexec and nosuid must both be enabled for /data during mounting. I understand noexec and have it enabled. However I don't have nosuid enabled.
Any reason why both noexec and nosuid should be enabled for /data? Doesn't having just noexec suffice - since the users would not be able to run scripts and other programs, and nosuid does not matter?
zethra
Posted 2013-01-11T16:12:30.820
Reputation: 103
You would think so [that
nosuidis redundant], yes. Can you cite any reference that recommended that you needed to enablenosuideven thoughnoexecwas already enabled? – Celada – 2013-01-11T18:19:08.180Actually I have seen that everywhere. Even CIS benchmarks state nosuid to be a different check on /tmp partition. Other references are just by googling: http://www.techrepublic.com/blog/opensource/secure-temporary-files-in-linux/171
– zethra – 2013-01-11T18:43:50.2701I have to guess that they're just being safe: so if you forget to set
noexecat least you've still gotnosuid. It's a weak argument though since both flags are configured in the same place, so if you forget one you're likely to forget the other one too! – Celada – 2013-01-11T18:49:56.947