[Techtalk] Partitioning for security questions

Carla Schroder carla at bratgrrl.com
Tue Dec 3 05:38:07 UTC 2013 

Hello! So, you are elbow-deep in Debian guts :) I will answer what I
can.

On Mon, 02 Dec 2013 12:17:10 -0800
Terry <tech at futurecourse.com> wrote:
[...]
> 
> Questions:
> 1.  As I understand it, the purpose of /var/tmp is to store files
> that should survive a reboot and /tmp files won't survive a reboot.
> If I join them together using bind does that change the /var/tmp
> files' ability to survive a reboot?

No. /var/tmp will still behave as it is supposed to. IMO binding them
is unnecessarily complex as disk space is cheap and it's easy to give
them their own partitions. But there may be some cool advantage I'm not
aware of.

> 
> 2.  Debian recommends adding the following to /etc/apt/apt.conf to 
> forestall any problems with installing/upgrading packages:
> 
> DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
> DPkg::Post-Invoke {"mount -o remount /tmp";};
> 
> If I decide to go with individual partitions for the tmp directories, 
> presumably I could add similar lines for /var/tmp in case something
> uses /var/tmp for installation/updating during apt.  Is that correct?

Yes, you can do this for any filesystem.

> 
> 3.  I also ran across a number of sites that recommend adding nodev
> as well to tmp partitions.  I didn't really understand what nodev
> means so I read the mount man pages and the description "nodev - Do
> not interpret character or block special devices on the file
> system."   Not much enlightenment and so I did some more research on
> that.  I now think I have a rudimentary understanding of nodev.
> However, I have no idea if any files in /tmp or /var/tmp would ever
> legitimately require "dev" access.  Is adding "nodev" to noexec and
> nosuid something I should consider?

nodev prevents non-root users from creating device files, and using
them to gain escalated privileges. Device files can be created
anywhere, not just /dev.

> 
> /var/mail & /var/spool/mail
> 1. In Debian, /var/mail/spool is symlinked to /var/mail so presumably 
> creating a separate partition for /var/mail takes care of 
> /var/spool/mail and I shouldn't have to recreate the sym link.  Is
> this correct?

Correct.

Please keep us posted on your progress, this is fun stuff :)

Carla

-- 
++++++++++++++++++++++++++++++++++++++++
Everything mortal has moments immortal +
++++++++++++++++++++++++++++++++++++++++

More information about the Techtalk mailing list