On Mar 2, Jon Ribbens wrote
> Eric Delcamp <e.delcamp@wanadoo.fr> wrote:
> > Just to add something, I have a MFS /tmp like this:
> > 
> > /etc/fstab:
> > ...
> > /dev/wd0b       /tmp    mfs     rw,-s=4000 0 0
> 
> I use:
> 
> /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=262144 0 0
> 
> I figure this might add a bit of security. I also put 'nodev' on everything
> except / and 'nosuid' on /var, does anyone have any thoughts on this?
> I figure this ought to be the default ;-).

This is good practice.
Also, on my ftp/www/mail server, all filesystem are 'noexec' exept / and
/usr. This way regular users can't run their own executables.
Maybe I'm a bit drastic, but it's good for security (most exploits don't show
up as sh or perl scripts :)

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--