on Wed, Dec 03, 2003 at 12:17:52PM -0800, Mark Ferlatte (ferlatte@cryptio.net) wrote:
> Karsten M. Self said on Wed, Dec 03, 2003 at 06:15:29AM -0800:
> > See, variously, the FHS, and my own partitioning guidelines:
> >
> > http://twiki.iwethey.org/Main/NixPartitioning
>
> Good page. I should have known about the Jihad.
;-) Thanks.
I'll have to re-check my sizing recommendations for /. Current stock
kernels run ~23 MiB with all modules. This plus journal files leaves me
pinched on a couple of systems with what was once an adequate 96 MiB.
Depending on kernel growth, 200 MiB or more might not be unwarranted.
Much revision of /etc might help here.
> > - /var need only be writeable and executable (nodev, nosuid).
>
> Minor nit: netatalk requires a device node in /var to support Appletalk
> printing. Admittedly, for most people, this is not an issue.
While it's not current policy, the practice of sequestering _all_ device
files under /dev would be *highly* encouraged by this punter. Both
devfs (deprecated) and hotplug should help in this regard.
> > - Minimal damage. Any actions affecting a partition are limited to
> > that partition.
> >
> > - Minimal damage. The probabilities of corruption of a partition are
> > directly proportional to its size. Minimize the size, minimize this
> > likelihood.
>
> I think I'm approaching this problem from a difference perspective; it
> takes less time for me to rebuild a system from scratch than it would
> to recover the system partitions (automated rebuild and system config
> recovery and all that), so this problem doesn't really affect me much.
There are a few different viewpoints to this.
Given that 30% of spam is reported (Inquirer news story 3 Dec) to
originate from broadband-connected systems, minimizing the exposed
vulnerabilities of _any_ system should be a high priority.
Specifically: allow device and SUID access only where absolutely
necessary, keep system partitions mounted read-only if possible, protect
and/or isolate your kernel(s).
> > Well, for starters, /tmp *is* cleared between system boots, and is
> > appropriate for data which *must* not be preserved between boots. The
> > definitions are not identical, the directories are not equivalent.
>
> Your definition above is much stricter than what the FHS actually says, and
> under your definition /tmp and /var/tmp are not equivalent. Fair enough.
The FHS allows for what Debian policy requires.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Bush/Cheney '04: Asses of Evil
Attachment:
pgpzQmQNUCNfJ.pgp
Description: PGP signature