on Sat, Nov 29, 2003 at 03:16:56PM -0500, Malcolm Ferguson (Malcolm_Ferguson@yahoo.com) wrote:
> Walter Dnes wrote:
>
> >On Fri, Nov 28, 2003 at 12:13:46AM -0800, Karsten M. Self wrote
> >
> >>Or you could just give yourself One Big Partition and deal with the
> >>attendant problems.
> >
> > I'm trying to get as close as possible to One Big Partition, without
> >the problems. The minimal needs seem to be...
> I hate multiple partitions. I always seem to run out of space on one
> even though I have tons left on others. It seems hard to make good
> partitioning choices that will survive years of abuse. It sounds like
> you're considering LVM though.
The partitioning guidelines I've presented _have_ withstood years of
abuse.
The rationale is addressed in the article below, and in large part
addresses problem containment, and privilege minimization:
http://twiki.iwethey.org/Main/NixPartitioning
> That being said, there are some other thoughts. I know you're well
> aware of security, but I will reiterate. Something I picked up from
> the recent discussions about the Debian server break-in is that /tmp
> on its own partition can be set to noexec and nosuid.
I believe nosuid and nodev, though I can't locate a reference ATM.
Point being that the permissions you want to allow for user-writeable
partitions are lesser than those for system partitions. Minimal
permissions, always, is a good policy.
> I recommend making it far larger than in the Debian security doc
> though. On my servers I have /boot and /usr read-only, and I've been
You can leave /boot unmounted altogether. The only times it needs to be
accessed are:
- At boot time, where access is direct to partition, and the partition
need not be mounted (indeed, can't be).
- When examining kernel config files and System maps (read-only)
- When installing a new kernel (writeable)
Note that if a partition is mounted, you can use the
"remount,options=<list>" to change options. I use this, for example, in
a slightly modified /etc/init.d/pcmcia file to remount /tmp with device
files enabled when initiating PCMCIA settings. Otherwise, the partition
is mounted nodev.
See /usr/share/doc/apt/examples/configure-index.gz for how to mount /usr
writeable during system upgrades. I'm not positive of the
multiple-action syntax, but this might work in /etc/apt/apt.conf:
------------------------------------------------------------------------
DPkg
{
// Aut re-mount of readonly /usr
Pre-Invoke {"mount -o remount,rw /usr; mount -o remount,rw /boot;"}
Post-Invoke {"mount -o remount,ro /usr; mount -o remount,ro /boot;"}
}
------------------------------------------------------------------------
> wondering recently if I should/can do the same with /etc.
With great difficulty.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
http://sco.iwethey.org/
Attachment:
pgpOj6xTFdMS8.pgp
Description: PGP signature