Re: How to get away with small /var partition

To: debian-user@lists.debian.org
Subject: Re: How to get away with small /var partition
From: Paul Morgan <paulswm@earthlink.net>
Date: Sun, 30 Nov 2003 18:14:26 -0500
Message-id: <[🔎] pan.2003.11.30.23.14.21.846151@earthlink.net>
References: <[🔎] 20031128074310.GB9596@m433> <[🔎] 20031128081346.GP18334@ix.netcom.com> <[🔎] 20031129043308.GA10865@m433> <[🔎] 3FC8FEB8.90300@yahoo.com> <[🔎] 20031130165024.GD15107@ix.netcom.com> <[🔎] slrnbskrb4.7ih.miernik@tarnica.ctnet.pl>

On Sun, 30 Nov 2003 23:21:24 +0100, Miernik wrote:

> On 2003-11-30, Karsten M. Self <kmself@ix.netcom.com> wrote:
>>> I recommend making it far larger than in the Debian security doc
>>> though.  On my servers I have /boot and /usr read-only, and I've been
>>
>> You can leave /boot unmounted altogether.  The only times it needs to be
>> accessed are:
>>
>>   - At boot time, where access is direct to partition, and the partition
>>     need not be mounted (indeed, can't be).
>>
>>   - When examining kernel config files and System maps (read-only)
>>
>>   - When installing a new kernel (writeable)
> 
> Show me a good reason to separete /boot to a separate partition at 
> all. What's the extra security we get out of this? 
> In /boot there are only the kernel images. System.map's, kernel 
> config, and GRUB config.
> 
> All that is writable only by root anyway (perms -rw-r--r-- root.root)
> If an attacker get's rights to write or change perms of files there, 
> he can equally easy remount the partition rw.
> 
> So what's the point?

Elementary System Administration and Security
---------------------------------------------

Lesson #1:  Don't mount things not needed for the operation of the system

Lesson #2:  Mount things with the minimum permissions necessary for the
operation of the system.

Lesson #3: don't overcomplicate system administration by unnecessary
duplication

re. Lesson #1:
/boot is not needed for the normal operation of the system, and not
mounting it provides two security benefits:
 - it can't get accidentally or maliciously damaged
 - Conf files are the system admin's business only, but may be of interest
to persons of malice.

re. Lesson #2:
- If the sysadmin just needs to see or read /boot files, mounting it ro
reduces the risk of accidental or malicious damage.

re, Lesson #3:
- An example:  I run more than one Linux instance, each with its own /.
I also have several kernels.  If I put /boot on its own filesystem, I
don't have to duplicate it.

With regard to your comment about root access:  if someone gets root
access, *all* your system security is fscked anyway.

-- 
....................paul

"The average lifespan of a Web page today is 100 days. This is no way to
run a culture."

Internet Archive Board Chairman

Reply to:

Follow-Ups:
- Re: How to get away with small /var partition
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

References:
- How to get away with small /var partition
  - From: Walter Dnes <waltdnes@waltdnes.org>
- Re: How to get away with small /var partition
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: How to get away with small /var partition
  - From: Walter Dnes <waltdnes@waltdnes.org>
- Re: How to get away with small /var partition
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>
- Re: How to get away with small /var partition
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: How to get away with small /var partition
  - From: Miernik <miernik@ctnet.pl>

Prev by Date: Nvidia
Next by Date: HDIO_SET_DMA failed: Operation not permitted
Previous by thread: Re: How to get away with small /var partition
Next by thread: Re: How to get away with small /var partition
Index(es):
- Date
- Thread