[techtalk] partitioning security (was lilo)

[Caitlyn M. Martin]

Akkana wrote:

> > very true .. throwing everything on one partition is a potential security
> > risk and could also make your machine less stable.  i won't go into detail
> > (i'm somewhat ethical ;p) on these issues ..
>
> So ... I don't want to compromise your ethics or give info to crackers,
> but can you at least give some hints as to why this setup should be
> any less secure or less stable?

Agreed.  I've certainly not heard that a large partition makes a box more
crackable, and I am supposed to know these sorts of things since I write the Linux
standards around here.

> There can certainly be performance wins from moving certain directories
> to other partitions or, better, to another disk.  It especially helps
> with /tmp and swap, and around here we often put our build directories
> on a separate partition from where the compiler lives, for various
> reasons.  It's also useful to make a small partition (ideally on
> another disk) to carry vital info about the linux system (fstab and
> other system files, and maybe your home directory dotfiles) in case
> of problems.  But that's not a security issue.

I always recommend making /home and /var separate partitions.  This way if the
OS needs to be redone from scratch for some reason the data is still there.   (Yes,
I have backups to fall back on.  It's just a pain to do that.)  At home and in the
lab, where blowing away the OS is a matter of course as we play with different
things, having /home separate and having your old logs after the rebuild is really
useful.

> I've set up systems with several small partitions and systems where
> everything was on one big partition, and haven't seen any stability
> problems with the one-big-disk setup; if anything, the several-small-
> partition systems are sometimes less stable because eventually
> (perhaps not now, but a year from now when you upgrade to a newer
> system which takes much more disk space than the system for which you
> set up the partitions) you run out of space to install things and
> either have to resort to a web of symlinks (ugh) or wipe the system,
> repartition and start over.

Actually, the GNU parted utility makes it possible to resize your partitions and
not have to blow away the whole system.  There are limitations, but it does work.
I increased my swap space when I added memory to my home system this way.  I stole
the space from the end of /home.

> > i always like to have /var mounted on it's own partition.  this way, if an
> > attacker decides he wants to flood my box with something .. whatever it
> > may be .. if it's logged, when the logs fill up the partition entirely, it
> > won't crash the root partition.  i guess this could apply for /tmp as well
> > (and possibly other points).
>
> Sure, I've set up systems where /tmp was a separate filesystem for
> that reason.  Is that considered a security issue?  So we're not
> talking easier to break into, just slightly more vulnerable to
> flooding types of attachs?

I'd have to agree with you.  Actually, if someone is successfully attacking my box.
I want it off the network.  That crash isn't a bad thing.

-Caity