docs/52829: [PATCH] Installing FreeBSD: Benefits of multiple filesystems

Brian Minard bminard at flatfoot.ca
Sun Jun 1 02:00:32 UTC 2003 

>Number:         52829
>Category:       docs
>Synopsis:       [PATCH] Installing FreeBSD: Benefits of multiple filesystems
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 31 19:00:29 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Brian Minard
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD spud.flatfoot.ca 4.8-STABLE FreeBSD 4.8-STABLE #0: Mon May 19 21:28:08 EDT 2003 root at spud.flatfoot.ca:/usr/obj/usr/src/sys/SPUD i386


>Description:
	The installation chapter lists several benefits for creating multiple
	filesystems.  An important consideration which might not be apparent
	to new users until after they complete the installation is that you
	cannot mount user-writable file systems nosuid if you don't put them
	in a separate filesystem.  This is worth emphasizing, as security(7)
	makes this recommendation.
>How-To-Repeat:
	Follow the installation instructions for allocating disk space--they
	are (strongly) biased towards leading users to create /home under /usr.
>Fix:
--- chapter.sgml.orig	Sat May 31 12:30:21 2003
+++ chapter.sgml	Sat May 31 21:43:40 2003
@@ -1747,7 +1747,13 @@
 	  <para>Different filesystems can have different <firstterm>mount
 	      options</firstterm>.  For example, with careful planning, the
 	    root filesystem can be mounted read-only, making it impossible for
-	    you to inadvertently delete or edit a critical file.</para>
+	    you to inadvertently delete or edit a critical file.  As well,
+	    separating the filesystem containing <filename>/home<filename>,
+	    from other filesystems means that user-writable filesystems can be
+	    mounted <firstterm>nosuid</firstterm>.  This will prevent the
+	    <firstterm>suid/guid<firstterm> bits on executables stored in
+	    <filename>/home</filename> from taking effect, possibly improving
+	    security.</para>
 	</listitem>
 
 	<listitem>
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list