Mailinglist Archive: opensuse (1420 mails)

< Previous Next >
Re: [opensuse] Re: Temp directories NOT cleared at boot (oS13.1)

On 14-01-26 09:16 AM, Anton Aylward wrote:
On 01/25/2014 11:44 PM, Linda Walsh wrote:
Mine hasn't been on the root partition for about 10 years.

I didn't want to destabilize root by having alot of r/w activity
on the root partition, so my /tmp 'really' on my /var partition --
that was named for it's 'variable' state. mounting
/var and using "rbind" to mount a dir one /tmp, is an early
step.

There are and there have been in the past many good reasons to have /tmp treated differently.

* once there was a vulnerability which could simply be mitigated by having /tmp on a separate partition. maybe that will recur.

* some applications such a the C/C++ development cycle creates a lot of transient activity on /tmp with the intermediate files of the compile process. having /tmp on a separate spindle offers a parallelism that helps here.

* in the limiting case of the above a tmpfs /tmp would make that even faster, but many applications want the memory.

* Mike Tilson once developed a FS overlay that he used for /tmp which images part of the FS, the inodes and root directory, into memory in a way similar to a tmpfs. This was on 'development' machines and was a very successful accelerator.

Would I be right in guessing that none of the above is an issue if you're using an SSD, since there are no moving parts in an SSD?
* one of the problems of DOS/Windows is that can't make the root 'read only' since it needs activity. Yes you can create a D: partition and move the swap file off C: but it still needs to have C: writeable. Not so for Linux. You can set it up, assuming you aren't doing upgrades, with the root partition READ-ONLY. Yes you need to migrate other things off the root partition and perhaps set symlinks (heck, there are a lot under /etc/ anyway!) and rbind. Having binaries and libraries RO is a great defence against hackers and malware.
Now this is interesting, as there is always a risk of attack by bad guys. Is there a comprehensive 'HOW TO' you can point to that is adequate to show even a novice how to protect himself using this practice? If not, how would you advise such a novice how to partition, say, a new system with one or two large SSDs (Crucial has had one that is almost 1TB for quite a while), so that he can make his binaries and libraries RO, for a machine intended to be a web server? And, if it is set up that way, what method would he have to use in order to be able to apply updates (particularly those related to security - there will be, for example, such updates to apache's httpd server, and whatever DB he's using, and obviously these would need to be applied so that the web apps are protected as well as can be done)?

Cheers

Ted
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups