On Tue, 2009-09-15 at 15:21 -0400, Yungwei Chen wrote:> Hi,
>
> I am trying to secure my CentOS file systems by
> introducing "nodev" to devies defined in /etc/fstab. I learned
that
> "nodev" prevents users from mounting unauthorized devices.
However, I
> can still mount a cdrom to /tmp/cdrom with the following defined
> in /etc/fstab. Am I missing something? Thanks.
>
> LABEL=/tmp /tmp ext3
> defaults,nodev 1 2
>
Yes, I think that you have misinterpreted the "nodev" option.
That means that "device" files ( normally created under /dev ) in a
filesystem mounted with the "nodev" option are not allowed to access
the
hardware that they represent. This is used primarily as a protection
against malware that tries to get direct access to hardware such as
memory or network cards by creating additional device files somewhere
else.
Since CentOS ( and most other recent distros ) use "udev" to create
the
necessary block and character files in the /dev tree ( which is NOT an
ext3 filesystem ) there should be no need for the "average" user to
create device files anywhere else in the directory tree. After I
understood this, I then modified all of the systems that I take care of
to specify "nodev" as an option for ALL ext3 filesystems.
In your case, if you are mounting a CD, you are using the normal block
device(s) in /dev ( such as /dev/cdrom or /dev/hdc ) and just specifying
the directory to use as the mount point ( /tmp/cdrom ), which is
perfectly legal with this option.
--
Ron Loftin reloftin at twcny.rr.com
"God, root, what is difference ?" Piter from UserFriendly