Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 6 File System Security

Security Guidelines for Mounting and Unmounting File Systems
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The mount command enables you to attach removable file systems and disk or disk partitions to an existing file tree. The mount command uses a file called /etc/fstab, which contains a list of available file systems and their corresponding mount points. Make the /etc/fstab file writable only by root, but readable by others. For more information on mounting file systems, see fstab(4).

Observe the following precautions when mounting a file system or disk:

  • Create a mount point directory (such as /mnt) on which to mount a new file system. Never mount a file system on a directory that already contains files, because those files will become inaccessible.

    The mount point of a mounted file system acquires the permissions and ownership of the file system's root directory.

  • Set permissions and access control list entries on disk path names to control access to disks.

  • Use the -r option of the mount command to mount the file system as read-only. You must mount physically write-protected file systems this way.

  • When mounting a new or foreign file system, assume that the medium is insecure.

    • Make sure that the PATH environment variable does not include “.” (the current directory); otherwise, you might run a Trojan horse version of ls or some similar command while examining the new file system.

    • Run the fsck command to verify that the file system is not technically corrupted. See fsck(1M).

    • Run the ncheck_hfs -s or ncheck_vxfs -s command to scan for setuid and setgid programs and device files, and investigate any suspicious findings. The -s option is intended to discover concealed violations of security policy. For more information, see ncheck_hfs(1M) and ncheck_vxfs(1M).

    • Create a directory restricted to root by setting its permissions at 700 (drwx------).

      # mkdir /securefile # chmod 700 /securefile

    • Mount the foreign file system read-only at that location:

      # mount -r /dev/disk1 /securefile

    • Check all directories for privileged programs, and verify the identity of every program.

    • Remount the system read and write permissions and remove any unnecessary setuid and setgid permissions from files that you discovered in the previous step. These precautions are especially important if a user requests that you mount a personal file system.

    Only after performing these tests should you unmount the file system and remount it in its desired location.

  • Be sure to unmount all mounted file systems of a user whose account you are disabling or removing.

For information on files mounted in an NFS environment, see Section .



Protecting Disk Partitions and Logical Volumes
  		 


Controlling File Security on a Network  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.