Generally, a Linux system will have many file systems. However, it is also possible to configure a Linux system only through one or a few file systems, one reason you want to create multiple file systems is to control access to them by using the mount option specified in the/etc/fstab file. The/etc/fstab file contains six items.
Generally, a Linux system will have many file systems. However, it is also possible to configure a Linux system only through one or a few file systems, one reason you want to create multiple file systems is to control access to them by using the mount option specified in the/etc/fstab file.
The/etc/fstab file contains the following content:
/Dev/hda1/ext3 defaults 1 1
/Dev/hda5/usr ext3 defaults 1 2
/Dev/hda1/home ext3 defaults 1 2
/Dev/hda6/var ext3 defaults 1 1
/Dev/hda7 swap defaults 0 0
/Dev/fd0/mnt/floppy ext3 noauto 0 0
/Dev/cdrom/mnt/cdrom isoArray660 noauto, ro 0 0
None/proc defaults 0 0
Column 1: Device name or device volume name (/dev/sda10 or LABEL = /)
Column 2: Device Mount Directory (for example, the above "/" or "/mnt/D /")
Column 3: device file system (for example, the above "ext3" or "vfat ")
Column 4: mount parameters (see help man mount)
For a mounted device, such as the/dev/sda2 above, you need to change the Mount parameter. you do not need to uninstall the device, but you can use the following command (no mounted device, the remount parameter is invalid)
# Mount/mnt/cdrom/-o remount, ro (change defaults to ro)
To ensure security, you can specify other mount parameters, such:
Default sets this installation option to rw, suid (allow SUID and SGID execution), dev (allow character and block dedicated devices), exec (allow binary file execution ), auto (allow mount-a), nouser (only the root user can configure the file system, do not allow normal users to mount) and async (asynchronous I/O)
Nodev does not explain or allows the creation of characters or block-specific files (device files) on the file system, (device files cannot be mounted)
Noexec does not allow the execution of binary files or scripts on the file system. (the execution file is not allowed to be executable, but do not mount the root partition as noexec, so the system cannot be used, even the mount command cannot be used. in this case, only the system is re-built!
Ro sets this file system to read-only
User allows users other than root users to configure the file system. Unless explicitly revoked, this option will automatically set noexec, nosuid, and nodev options
Nosuid and nosgid do not allow SUID or SGID to act on the file system (suid and sgid attributes are not allowed)
Noatime disables access time updates on all files and directories in this file system. this option can be used in 2.2.x and later kernels.
Column 5: Specifies whether to back up data. (0 indicates no backup. 1 indicates that backup is required. Generally, the root partition must be backed up)
Column 6: indicates the self-check sequence. (0 indicates no self-check. 1 or 2 indicates self-check. if the root partition is set to 1, other partitions can only be 2)
Before installation, carefully consider the access types required by your users, so that you can better request the created system. For local file systems, the following guidelines for selecting the mount option are available:
(1) the user's home directory should not be the source of SUID scripts and programs, nor should it have characters and block-specific files.
(2) If any file system has a directory that can be set by a person other than the root user, the nosuid option should be used to a minimum. /Var file system is such a file system, and this file system is critical to your system.
(3) any file system (except in special cases) that does not need to be written should be installed as a read-only file.
We should follow the second guiding principle for/var file system applications, and the first guiding principle for/home file system applications. To facilitate users, we also want to add the user option to/mnt/cdrom so that non-root users can install CD-ROM without root user intervention. Additional restrictions related to the user options, such as nosuid, noexec, and nodev, should provide sufficient security for this purpose.
Assume that there is a/usr/local/bin subdirectory in the/usr file system. this subdirectory contains executable programs used by many users. if these executable files do not change frequently, you may want to create a separate file system and use the ro option to configure the/usr/local/bi directory. Unfortunately, if you do, whenever you need to modify the files in the/usr/local/bin or/usr/local/lib Directory, you must reconfigure its rw option (preferably in single-user mode ). Enhance the security of the system and network without unexpected circumstances. It will affect the performance or convenience of users.
A safer/etc/fstab table
/Dev/hda1/ext3 defaults 1 1
/Dev/hdb4 sr/local/bin ext3 ro, nosuid 1 2
/Dev/hdbArray sr/local/lib ext3 ro, nosuid 1 2
/Dev/hda5/usr ext3 defaults 1 2
/Dev/hdb1/home ext3 noexec, nodev, nosuid 1 2
/Dev/hda6/var ext3 nosuid 1 1
/Dev/hda7 swap defaults 0 0
/Dev/fd0/mnt/floppy ext3 noauto 0 0
/Dev/cdrom/mnt/cdrom isoArray660 noauto, ro, user 0 0
None/proc defaults 0 0
1. if auto is added or not added, it will be automatically mounted upon startup. if noauto is added, it will not be automatically mounted. when mount-a is executed, it cannot be mounted only by manual mounting.
2. the user allows users other than the root user to configure the file system.
3. noexec does not allow execution of binary files or scripts on the file system.
