4.10. Montando partições do jeito certo
			When mounting an 
Ext file system (
ext2, 
ext3 or 
ext4), there are several additional options you can apply to the mount call or to 
/etc/fstab. For instance, this is my fstab entry for the 
/tmp partition: 
  /dev/hda7    /tmp    ext2    defaults,nosuid,noexec,nodev    0    2
		
			You see the difference in the options sections. The option 
nosuid ignores the setuid and setgid bits completely, while 
noexec forbids execution of any program on that mount point, and 
nodev ignores device files. This sounds great, but it: 
			
		
			The 
noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel: 
  alex@joker:/tmp# mount | grep tmp
  /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
  alex@joker:/tmp# ./date
  bash: ./date: Permission denied
  alex@joker:/tmp# /lib/ld-linux.so.2 ./date
  Sun Dec  3 17:49:23 CET 2000
		
			Newer versions of the kernel do however handle the 
noexec flag properly: 
  angrist:/tmp# mount | grep /tmp
  /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
  angrist:/tmp# ./date
  bash: ./tmp: Permission denied 
  angrist:/tmp# /lib/ld-linux.so.2 ./date 
  ./date: error while loading shared libraries: ./date: failed to map segment 
  from shared object: Operation not permitted
		
			However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.
		
			Also be forewarned, some script might depend on 
/tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see 
http://bugs.debian.org/116448.
		
			The following is a more thorough example. A note, though: 
/var could be set noexec, but some software 
 keeps its programs under in 
/var. The same applies to the nosuid option. 
/dev/sda6   /usr          ext3    defaults,ro,nodev       0       2
/dev/sda12  /usr/share    ext3    defaults,ro,nodev,nosuid        0       2
/dev/sda7   /var          ext3    defaults,nodev,usrquota,grpquota 0      2
/dev/sda8   /tmp          ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2
/dev/sda9   /var/tmp      ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2
/dev/sda10  /var/log      ext3    defaults,nodev,nosuid,noexec    0       2
/dev/sda11  /var/account  ext3    defaults,nodev,nosuid,noexec    0       2
/dev/sda13  /home         ext3    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2
/dev/fd0    /mnt/fd0      ext3    defaults,users,nodev,nosuid,noexec      0       0
/dev/fd0    /mnt/floppy   vfat    defaults,users,nodev,nosuid,noexec      0       0
/dev/hda    /mnt/cdrom    iso9660 ro,users,nodev,nosuid,noexec            0       0
		4.10.1. Setting /tmp noexec
				Be careful if setting 
/tmp noexec when you want to install new software, since some programs might use it for installation. 
apt is one such program (see 
http://bugs.debian.org/116448) if not configured properly 
APT::ExtractTemplates::TempDir (see 
apt-extracttemplates(1)). You can set this variable in 
/etc/apt/apt.conf to another directory with exec privileges other than 
/tmp.
			
4.10.2. Definindo o /usr como somente-leitura
				If you set /usr read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.
			
				To do this modify 
/etc/apt/apt.conf and add: 
  DPkg
  {
      Pre-Invoke  { "mount /usr -o remount,rw" };
      Post-Invoke { "mount /usr -o remount,ro" };
  };
			
				Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running 
# lsof +L1
			
				Stop or restart these programs and run the Post-Invoke manually. 
Beware! This means you'll likely need to restart your X session (if you're running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only 
/usr is suitable for your system. See also this 
 discussion on debian-devel about read-only.