Re: [OT] fhs and multiple partitions (was: Installing Debian using ...)
On Mon, 2004-02-23 at 06:46, Kiko Piris wrote:
> On 23/02/2004 at 00:05, s. keeling wrote:
> > This is ridiculous advice and I wish people like you would stop
> > offering it. Multiple partitions make the system far more robust and
> > usable in many ways, from backing it up through system stability.
> > This is just as true for a laptop as it is for servers.
I hope you don't use the "dump" command on a
live filesystem ever. This is very unsafe.
All the other tools are happy to handle things
by directory, so I don't see your problem.
If stability were an issue, we'd need to fix that
instead of using a gross work-around.
> One other advantage in separating partitions is security: you can mount
> /boot ro,noexec,nodev,nosuid, /home nosuid,nodev, /tmp nosuid,nodev,
> etc. (http://www.seifried.org/lasg/installation/).
Nope. This is Linux, which kicks ass. On your
single-partition Linux 2.6 system, do this:
mount --bind /home /home
mount --bind -o remount,nosuid /home /home
In /proc/mounts I now see this:
rootfs / rootfs rw 0 0
/dev/root / ext2 rw 0 0
proc /proc proc rw 0 0
devpts /dev/pts devpts rw 0 0
usb /proc/bus/usb usbdevfs rw 0 0
sysfs /sys sysfs rw 0 0
/dev/root /home ext2 rw,nosuid 0 0
Notice that /dev/root is mounted twice.
You can't tell, but the second mount is
from below the root of the filesystem.
In NFS notation, /dev/root:/home is mounted.
I can also relocate directories this way
and use file-on-file mounts to replace files.
> On 23/02/2004 at 00:40, s. keeling wrote:
> > /boot and /tmp shouldn't be separate. On that, we can agree.
>
> /boot and /tmp *should* be separate.
Not really.
For /boot, you just need to satisfy the boot loader.
Share /boot with /bin if you can.
For /tmp, you can get a performance advantage by
using tmpfs. Doing so would make disk management
a bit worse, lead to hidden files under the mount
point, and slow down "mv /tmp/foo ~/foo" operations.
In nearly all cases, a separate /tmp isn't worth
the trouble.
> What is a *very big* security gain is to mount *all* partitions *except*
> /usr nosuid.
**AHEM**
mount --bind
Problem solved, without the disk management issues.
Reply to: