Re: Disk Druid - Fedora flame #1

From: James Wilkinson (james_at_westexe.demon.co.uk)
Date: 01/19/05

  • Next message: Matthew Miller: "Re: Disk Druid - Fedora flame #1" 
    Date: Wed, 19 Jan 2005 22:57:12 +0000
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Gene Heskett wrote:
    > And I'm down there working on it right now, having put a used 46GB WD
    > drive in as /dev/hdb, and the first real problem is that DD will not
    > allow me to make a /root partition, claiming it must be a directory
    > on /.
    >
    > With all due respect, thats bullshit. I will NEVER partition a drive
    > and put /root as a subdir on /. I don't have such an arrangment in
    > place on any linux install I have, won't tolerate it. Its senseless
    > to put your most private business as nothing more secure than a
    > directory on /. End of discussion IMNSHO. What I do as root, is not
    > any of the semi-public /'s business, none nada zip.
    >
    > /dev/hdb1= primary /boot = 100M
    > /dev/hdb2= primary /dos = 50M
    > /dev/hdb3= primary /root = 4GB But %$#@*& DD won't let me name it
    > '/root', I'm gonna have to do it by hand.

    Erm .. sorry. Your justification has lost me.

    Root's home directory should contain very little: it's supposed to be
    part of a minimal boot environment.

    This goes back to the days when disks and filesystems were more fragile
    than they are now, boot CDs unavailable, and boot floppies much less
    useful. The idea is to maximise the chances that you can at least boot a
    Unix as far as mounting /, with enough utilities to fix things.

    So that means you need root's home directory on / (so root can login and
    get at his or her settings), along with utilities like fsck, tar and
    mknod, so you can actually fix any problems with /usr (or rebuild it
    from backup).

    And the root filesystem should be as small as reasonably possible, to
    minimise the chances that anything goes wrong with it.

    The justification at
    http://www.pathname.com/fhs/pub/fhs-2.3.html#THEROOTFILESYSTEM
    (which is the Linux Filesystem Hierarchy Standard that Fedora and nearly
    every other Linux basically follow) is a worthwhile read.

    Note that some commercial Unices use "/" as root's home directory. I
    find this... untidy, but it does prevent ambiguities when someone talks
    about "the root directory" (and you're not sure they're using much
    precision).

    If I ask "what sort of 'most private business' needs to be done as
    root?" then you'll probably tell me it's most private! But e-mail,
    spreadsheets, word-processing, and the rest can and should be done as
    normal users. Anything that counts as "business" should be stored under
    /home or on another filesystem.

    There's no loss of security, as long as root is trusted. In fact, you
    get *more* security, because there are less ways for an ordinary user to
    compromise the security of the data.

    (If you do have to keep it under /root: you can always create another
    filesystem and mount it there...)

    And "nothing more secure than a directory on /"? As Fedora currently
    comes, there is no real difference between having a folder on one
    filesystem or on another. While Linux is booted, it will provide the
    same protection. While it isn't booted, anyone with physical access can
    swipe the drive, or boot a CD, USB key, or floppy and read data from the
    hard drive.

    Now it would be possible to merge in some of the patches floating around
    to provide an encrypted swap, and have an encrypted filesystem that you
    mount at login (entering a password) for sensitive files. *Then* you'd
    get security benefits from having sensitive documents on a different
    filesystem.

    Just as long as you're prepared for something to break, and that
    filesystem not to mount.

    Incidentally, the FHS says, at
    http://www.pathname.com/fhs/pub/fhs-2.3.html#FTN.AEN1037:
    > If the home directory of the root account is not stored on the root
    > partition it will be necessary to make certain it will default to / if
    > it can not be located.

    (Fedora doesn't do this by default...)

    > We recommend against using the root account for tasks that can be
    > performed as an unprivileged user, and that it be used solely for
    > system administration. For this reason, we recommend that
    > subdirectories for mail and other applications not appear in the root
    > account's home directory, and that mail for administration roles such
    > as root, postmaster, and webmaster be forwarded to an appropriate
    > user.

    James. 

    -- 
E-mail address: james | They say that every cloud has a silver lining, which
@westexe.demon.co.uk  | must be a bit alarming for airline pilots...
                      |     -- "I'm Sorry, I Haven't A Clue", BBC Radio 4
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Matthew Miller: "Re: Disk Druid - Fedora flame #1"

    Relevant Pages

    • Re: fsckd - FIXED
      ... filesystem errors on boot, with the "hit control-D to continue or give root ... to fix the errors with fsck. ... filesystem and inability to reboot. ...
      (Debian-User)
    • Re: fsckd
      ... filesystem errors on boot, with the "hit control-D to continue or give root ... to fix the errors with fsck. ... filesystem and inability to reboot. ...
      (Debian-User)
    • Re: Disk Druid - Fedora flame #1
      ... >Gene Heskett wrote: ... > be part of a minimal boot environment. ... >And the root filesystem should be as small as reasonably possible, ... as long as root is trusted. ...
      (Fedora)
    • Re: bin, sbin, etc as seperate LVM volumes
      ... filesystem is mounted to the mountpoint. ... One that's writable for normal operation while the rest of the root ... Why do you think the standard location for the root home directory is ... intend on installing software from sources for use on the local ...
      (comp.os.linux.misc)