fstab mount options on mkirby.org

I have made modifications to several mountpoints on the system.

By default, /tmp and /var/tmp are part of the filesystem.  I made the following modification to /etc/fstab to mount a 20mb slice of memory to those directories.  I have also set the mount options to nodev, noexec, and nosuid.  This means that those directories will not be able to contain device files or executables.  This prevents hackers from uploading an executable to the directories or creating any devices that may circumvent the security.
tmpfs                   /tmp                tmpfs   nodev,noexec,nosuid,size=20m        0 0
tmpfs                   /var/tmp                tmpfs   nodev,noexec,nosuid,size=20m        0 0

 

By default, Fedora mounts /dev/shm as a memory filesystem.  I added the noexec, nosuid, and nodev options.
tmpfs                   /dev/shm                tmpfs   noexec,nosuid,nodev        0 0

 

By default,  /dev/pts is mounted with world-readable permissions for the directory.  I added mode=620 so that users would not be able to see who was logged in.  The side effect of this is that the users are unable to know what tty they are on.  I have not run into any issues with this yet.
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

 

I have one nfs mount that contains website files.  I set it to nosuid and nodev for security, but not noexec as there are files on the nfs mount that need execute permissions.  There is also a SELinux boolean called httpd_use_nfs, but I’ll cover that in another post.  The nfs mount is set to read-only, which is redundant as the nfs server exports it as read-only.
192.168.1.4:/a1            /a1             nfs timeo=14,intr,vers=3,ro,nosuid,nodev,nolock

 

There is one mountpoint in Fedora that I could not configure through fstab.  It’s /dev/mqueue.  In order to add the nodev, noexec, nosuid options, I setup a cronjob that executes the following:
/bin/mount -o remount,nodev,noexec,nosuid /dev/mqueue