Re: How to get away with small /var partition
From: Karsten M. Self (kmself_at_ix.netcom.com)
Date: 11/30/03
- Previous message: Johann Koenig: "Re: nvidia vs ati"
- In reply to: Malcolm Ferguson: "Re: How to get away with small /var partition"
- Next in thread: Miernik: "Re: How to get away with small /var partition"
- Reply: Miernik: "Re: How to get away with small /var partition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 30 Nov 2003 08:50:24 -0800 To: Debian-user list <debian-user@lists.debian.org>
on Sat, Nov 29, 2003 at 03:16:56PM -0500, Malcolm Ferguson (Malcolm_Ferguson@yahoo.com) wrote:
> Walter Dnes wrote:
>
> >On Fri, Nov 28, 2003 at 12:13:46AM -0800, Karsten M. Self wrote
> >
> >>Or you could just give yourself One Big Partition and deal with the
> >>attendant problems.
> >
> > I'm trying to get as close as possible to One Big Partition, without
> >the problems. The minimal needs seem to be...
> I hate multiple partitions. I always seem to run out of space on one
> even though I have tons left on others. It seems hard to make good
> partitioning choices that will survive years of abuse. It sounds like
> you're considering LVM though.
The partitioning guidelines I've presented _have_ withstood years of
abuse.
The rationale is addressed in the article below, and in large part
addresses problem containment, and privilege minimization:
http://twiki.iwethey.org/Main/NixPartitioning
> That being said, there are some other thoughts. I know you're well
> aware of security, but I will reiterate. Something I picked up from
> the recent discussions about the Debian server break-in is that /tmp
> on its own partition can be set to noexec and nosuid.
I believe nosuid and nodev, though I can't locate a reference ATM.
Point being that the permissions you want to allow for user-writeable
partitions are lesser than those for system partitions. Minimal
permissions, always, is a good policy.
> I recommend making it far larger than in the Debian security doc
> though. On my servers I have /boot and /usr read-only, and I've been
You can leave /boot unmounted altogether. The only times it needs to be
accessed are:
- At boot time, where access is direct to partition, and the partition
need not be mounted (indeed, can't be).
- When examining kernel config files and System maps (read-only)
- When installing a new kernel (writeable)
Note that if a partition is mounted, you can use the
"remount,options=<list>" to change options. I use this, for example, in
a slightly modified /etc/init.d/pcmcia file to remount /tmp with device
files enabled when initiating PCMCIA settings. Otherwise, the partition
is mounted nodev.
See /usr/share/doc/apt/examples/configure-index.gz for how to mount /usr
writeable during system upgrades. I'm not positive of the
multiple-action syntax, but this might work in /etc/apt/apt.conf:
------------------------------------------------------------------------
DPkg
{
// Aut re-mount of readonly /usr
Pre-Invoke {"mount -o remount,rw /usr; mount -o remount,rw /boot;"}
Post-Invoke {"mount -o remount,ro /usr; mount -o remount,ro /boot;"}
}
------------------------------------------------------------------------
> wondering recently if I should/can do the same with /etc.
With great difficulty.
Peace.
-- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Backgrounder on the Caldera/SCO vs. IBM and Linux dispute. http://sco.iwethey.org/
-- To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- application/pgp-signature attachment: stored
- Previous message: Johann Koenig: "Re: nvidia vs ati"
- In reply to: Malcolm Ferguson: "Re: How to get away with small /var partition"
- Next in thread: Miernik: "Re: How to get away with small /var partition"
- Reply: Miernik: "Re: How to get away with small /var partition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
