On Thu, 6 Jul 2000, Nikolai Dahlem wrote:
At 13:57 06.07.00 +0200, you wrote:
Partitioning is either a question for a beginner mailing list - or- if it IS a security related question, the information given in the mail is everything else but enough to answer.
Sorry if I provided too little information. I thought about partitions as a manner of security, like separate partition for log-files, separate partition for web-server document root and mail-spool, etc. I just wanted to collect some ideas to ensure that i don't overlook something when I set up the partitions.
Nikolai
There _are_ security-related issues regarding disk partitioning, so you're not off base to ask the question to this list, IMO. Basically, you have to consider how your server can be exposed to possible Denial of Service attacks by having user- or outsider-writable sections on the filesystem together with critical parts of the OS or logs. One precaution would have a seperate partition for /var, seperating the email and printing spool files from the root partition. You should probably also have a seperate /tmp partition, since it's world-writable. It might even make sense to have a seperate /var/log partition so that system logs aren't compromised by a possible email DoS (even better: log to a remote system). If you're running anything where size can vary wildly (like Usenet news) it's a good idea to put it on a seperate partition. If you've got user accounts on the machine it's probably a good idea to put them in a seperate partition so they don't accidentally (or on purpose) fill up a crucial partition. If you have any world-writable anonymous FTP areas (bad idea but perhaps unavoidable) you'd want them in a partition where you couldn't be DoSed by somebody dumping a bunch of warez on you. My basic partition scheme is generally a variation of this: / /var /tmp /home plus usually a /usr partition since that's where most of the software lives (so I usually end up adding disks to this partition), plus partitions for special software, such as Oracle or Usenet news, plus sometimes /usr/local if I have a lot of local stuff such as a big httpd root. Hope this helps, John Ritchie