[techtalk] partitioning security (was lilo)

Akkana akkana at shallowsky.com
Mon Jul 23 11:30:27 EST 2001 

coldfire writes:
> > As a side not, you shouldn't install Linux with everything on one partition.
> > I was going to point you to VA Linux's site for good partition scheme
> > suggestions, but they're no longer doing hardware apparently.  Ah well.
> > There are plenty of resources out there on the net for partitioning schemes.
> 
> very true .. throwing everything on one partition is a potential security
> risk and could also make your machine less stable.  i won't go into detail
> (i'm somewhat ethical ;p) on these issues ..

So ... I don't want to compromise your ethics or give info to crackers,
but can you at least give some hints as to why this setup should be 
any less secure or less stable?

> but it's always a good idea to mount /tmp on it's own partition.  i mean,
> it's world readable and world writeable.  having this on it's own seperate
> partition prevents users from being able to make hardlinks to privledged
> files for example.  the same could apply for /home and other points.

So?  When you make a hard link, the owner and permissions are
preserved; if you couldn't read the file before, you still can't.

There can certainly be performance wins from moving certain directories
to other partitions or, better, to another disk.  It especially helps
with /tmp and swap, and around here we often put our build directories
on a separate partition from where the compiler lives, for various
reasons.  It's also useful to make a small partition (ideally on
another disk) to carry vital info about the linux system (fstab and
other system files, and maybe your home directory dotfiles) in case
of problems.  But that's not a security issue.

I've set up systems with several small partitions and systems where
everything was on one big partition, and haven't seen any stability
problems with the one-big-disk setup; if anything, the several-small-
partition systems are sometimes less stable because eventually
(perhaps not now, but a year from now when you upgrade to a newer
system which takes much more disk space than the system for which you
set up the partitions) you run out of space to install things and
either have to resort to a web of symlinks (ugh) or wipe the system,
repartition and start over.

> i always like to have /var mounted on it's own partition.  this way, if an
> attacker decides he wants to flood my box with something .. whatever it
> may be .. if it's logged, when the logs fill up the partition entirely, it
> won't crash the root partition.  i guess this could apply for /tmp as well
> (and possibly other points).

Sure, I've set up systems where /tmp was a separate filesystem for
that reason.  Is that considered a security issue?  So we're not
talking easier to break into, just slightly more vulnerable to 
flooding types of attachs?

-- 
	...Akkana       http://www.shallowsky.com

More information about the Techtalk mailing list