Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] partitions & mail system
  • From: Roman Drahtmueller <draht@xxxxxxxxxxxxxxx>
  • Date: Thu, 6 Jul 2000 16:34:35 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0007061626530.20008-100000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> Sorry if I provided too little information. I thought about partitions as a
> manner of security, like separate partition for log-files, separate
> partition for web-server document root and mail-spool, etc. I just wanted
> to collect some ideas to ensure that i don't overlook something when I set
> up the partitions.
>
> Nikolai
>

Another hint, following the other postings:

Change the mount options for your partitions to the bare minimum needed.

/usr doesn't contain devices, but if it does anyway, nodev inhibits the
interpretation of a device file.

/ doesn't need to be writeable for users if you have a seperate /var
filesystem (you needn't have a directory writeable for users). Make sure
that you remove /tmp and create a link /tmp -> var/tmp. (It would be
advisory to create /var/tmp on the root filesystem as well!)

On some machines, where I can't symlink /tmp, I have / mounted
nosuid. This requires that the path contains /usr/bin before /bin, and
that all needed suid binaries from /bin have an equivalent in /usr
(copied, not moved!).

This is how it can look like:

/dev/sda2 on / type ext2 (rw,nosuid)
/dev/sda3 on /var type ext2 (rw,nosuid,nodev,usrquota)
/dev/sdb1 on /usr type ext2 (rw,nodev)
/dev/sdc1 on /home type ext2 (rw,nosuid,nodev,noatime,usrquota)
/dev/sda1 on /boot type ext2 (rw)

"noatime" has performance reasons. Be careful with that, it might break
things (Currently, I don't know of any...).

Roman.
--
_ _
| Roman Drahtmüller "The best way to pay for a |
CC University of Freiburg lovely moment is to enjoy it."
| email: draht@xxxxxxxxxxxxxxx - Richard Bach |
- -


< Previous Next >
References