[Techtalk] Partitioning for security questions

Terry tech at futurecourse.com
Mon Dec 2 20:17:10 UTC 2013 

Hi folks,

Warning -  relative newbie to partitioning questions

I'm building a small VPS and using Debian 7 as my distro and have read 
Section 3.2.1 on partitioning in the Securing Debian manual and the 
recommendation here http://www.debian-administration.org/articles/57 to 
mount /tmp on a separate partition with noexec and nosuid. I understand 
the reasoning behind the Debian recommendations and would like to 
implement at least some of them when I rebuild my current VPS.

In an effort to gain some more knowledge, I've done some more research 
on securing partitions and the sometimes conflicting recommendations 
have now left me somewhat confused.  I've tried partitioning and using 
the various nosuid, noexec, etc., options before and ended up having 
problems with installing some packages.  So for this rebuild, I want to 
get it right.

Questions:

/tmp and /var/tmp
Both /tmp and /var/tmp are recommended to be on separate partitions.  I 
have seen two ways to do this - with separate partitions for each and by 
using bind in /etc/fstab to join /tmp with /var/tmp.  There seems to be 
a split as to which way is best.  My questions about this are:

1.  As I understand it, the purpose of /var/tmp is to store files that 
should survive a reboot and /tmp files won't survive a reboot.  If I 
join them together using bind does that change the /var/tmp files' 
ability to survive a reboot?

2.  Debian recommends adding the following to /etc/apt/apt.conf to 
forestall any problems with installing/upgrading packages:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

If I decide to go with individual partitions for the tmp directories, 
presumably I could add similar lines for /var/tmp in case something uses 
/var/tmp for installation/updating during apt.  Is that correct?

3.  I also ran across a number of sites that recommend adding nodev as 
well to tmp partitions.  I didn't really understand what nodev means so 
I read the mount man pages and the description "nodev - Do not interpret 
character or block special devices on the file system."   Not much 
enlightenment and so I did some more research on that.  I now think I 
have a rudimentary understanding of nodev.  However, I have no idea if 
any files in /tmp or /var/tmp would ever legitimately require "dev" 
access.  Is adding "nodev" to noexec and nosuid something I should consider?

/var/mail & /var/spool/mail
1. In Debian, /var/mail/spool is symlinked to /var/mail so presumably 
creating a separate partition for /var/mail takes care of 
/var/spool/mail and I shouldn't have to recreate the sym link.  Is this 
correct?

Any guidance would be greatly appreciated.

-- 
Terry

More information about the Techtalk mailing list