10
2
I am using Fedora Core. I am to create a partition /data where users post some data (all have r+w permissions). Hence, for security purposes, I have to make it non-executable.
I understand from Linux security that noexec
and nosuid
must both be enabled for /data during mounting. I understand noexec
and have it enabled. However I don't have nosuid
enabled.
Any reason why both noexec
and nosuid
should be enabled for /data? Doesn't having just noexec
suffice - since the users would not be able to run scripts and other programs, and nosuid
does not matter?
You would think so [that
nosuid
is redundant], yes. Can you cite any reference that recommended that you needed to enablenosuid
even thoughnoexec
was already enabled? – Celada – 2013-01-11T18:19:08.180Actually I have seen that everywhere. Even CIS benchmarks state nosuid to be a different check on /tmp partition. Other references are just by googling: http://www.techrepublic.com/blog/opensource/secure-temporary-files-in-linux/171
– zethra – 2013-01-11T18:43:50.2701I have to guess that they're just being safe: so if you forget to set
noexec
at least you've still gotnosuid
. It's a weak argument though since both flags are configured in the same place, so if you forget one you're likely to forget the other one too! – Celada – 2013-01-11T18:49:56.947