Re: Partition Sizing

Zack Weinberg (zack@bitmover.com)
Thu, 22 Jul 1999 12:08:23 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Artur Skawina: "Re: Measured overhead of timer interrupts"
Previous message: Andrej Todosic: "RE: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a"

The Doctor What wrote:
> I'm curious about this as well. What advantages are there to multiple
> partitions, besides faster fsck times? How do I know what size to make
> them? How should I break the partitions up? What do I do if I run out of
> space in one?

One big advantage is that you can mount partitions read-only, noexec,
etc. to tighten down system security. For example:

mount pt size options
/ 32MB
/usr 512MB ro
/var 512MB noexec
/home remainder nosuid

In addition, you should symlink /tmp to /var/tmp and audit your rc
scripts to make sure they don't need /tmp before /var is mounted. All
modern distros I've tried get this right.

It would be nice to be able to mount / ro and nosuid, but you can't do
that because there tend to be a few suid executables in /bin, you
frequently need to modify files in /etc, and login/logout needs to
modify permissions on /dev nodes. devfs plus lots of symlinks may be
able to correct this.

It is probably possible to mount /usr, /var, and /home nodev, which
closes a few more holes. Some Unixes disable named pipes and sockets
too when you do that, which breaks lots of stuff. I hope Linux
doesn't. Another potential problem is that some broken programs
(*cough* qmail *cough*) insist on putting executables in /var. If you
have any, repair them - with a sledgehammer, if necessary.

The sizes above are empirical - what I tend to need for each one. You
want to leave lots of free space in /var. You may need a bigger /usr
if you like to install lots of software.

The point of all this is you've made it quite a bit harder for
crackers to damage your system by e.g. installation of trojan horses.
It's also advised to go through / and set immutable bits on everything
"interesting" (ld.so, libc.so, su, etc.) BSD can nail it down even
tighter by making it impossible to remount /usr writable without
rebooting the machine. I don't know if this is possible with Linux;
it sure would be nice...

The disadvantage is it's harder to do upgrades and the system
configuration is more complicated. You may also have broken things
depending on how fascist you were about the mount options. As with
most things security-related, it's a tradeoff.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Artur Skawina: "Re: Measured overhead of timer interrupts"
Previous message: Andrej Todosic: "RE: ping -R causes kernel panic on a forwarding machine ( 2.2.5 a"