fstab Question

[D. Michael McIntyre]

On Saturday 08 December 2007, Billie Walsh wrote:
> Third: Can someone explain, in simple [ noob ] terms, what the last
> three parameters [ nodev, noexec, and nosuid ] mean/do? At this point
> it's just my curiosity at work.

(From man mount.)

noauto 
 Can only be mounted explicitly (i.e., the -a option will not cause the file 
system to be mounted). 

nodev 
 Do not interpret character or block special devices on the file system. 

(Means you can't put a /dev directory here and have it work.  Linux accesses 
things like your soundcard or a hard disk partition through special files, 
and you can't store any of those special files on a volume mounted with this 
option.)

noexec 
 Do not allow direct execution of any binaries on the mounted file system. 
(Until recently it was possible to run binaries anyway using a command 
like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.) 

(Means you won't be able to run any applications directly off this volume, as 
a safeguard that intends to prevent you from running something that isn't 
sitting in a place where only root could have put it there, and hopefully 
root put it there by way your package management system with all its integral 
authenticity checks.  A security measure.)

nosuid 
 Do not allow set-user-identifier or set-group-identifier bits to take effect. 
(This seems safe, but is in fact rather unsafe if you have suidperl(1) 
installed.) 

(Setting the suid bit lets a common user run an application with rootlike 
powers, which is necessary for some X11 stuff, and for, um, the old dialup 
modem thingie.  It should be done sparingly, and this mount option is 
intended to dissuade you from hosting suid-enabled binaries on this volume.  
Or something like that.  Read up if this vague explanation isn't sufficient, 
because I'm really not that well versed in this particular matter, as I 
haven't had to mess with it since the dialup modem days.  Good riddance to 
the dialup modem days.  Used to be the dialer thingie in Debian shipped so 
you had to manually add the suid bit to get it to work, IIRC.)

Now for an opinion:  the only option that's CRITICALLY important is 
errors=remount-ro.  This one means if something starts to go screwy with the 
filesystem, it will be remounted as read-only, and it can no longer be 
changed.  This prevents you doing further damage.  You might lose any unsaved 
data in memory, but you are less likely to lose the entire filesystem.

I saw this happen once, before I knew about that option.  I was doing 
something, and got an I/O Error, so I tried to do something else.  Move to 
this directory, look at its contents, try to open a file, file isn't there, 
look at the directory, it's not there anymore either, and so on tumble the 
dominoes until the entire filesystem is obliterated beyond recognition, and 
all the data is lost except perhaps to the hands of recovery experts.

The idea is to prevent that scenario by having the kernel step in to keep you 
from further modifying the filesystem, which only makes things worse and 
worse the longer you leave it all going.  Trying to shut down politely from 
that kind of scenario is much worse than just yanking the plug out of the 
wall.
-- 
D. Michael McIntyre