Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] partitions & mail system
  • From: John Ritchie <ritchiej@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 6 Jul 2000 06:50:47 -0700 (PDT)
  • Message-id: <Pine.LNX.4.10.10007060619530.24271-100000@xxxxxxxxxxxxxxxxxxxxxxxxx>
On Thu, 6 Jul 2000, Nikolai Dahlem wrote:

> At 13:57 06.07.00 +0200, you wrote:
> >Partitioning is either a question for a beginner mailing list
> >- or-
> >if it IS a security related question, the information given in the mail is
> >everything else but enough to answer.
> Sorry if I provided too little information. I thought about partitions as a
> manner of security, like separate partition for log-files, separate
> partition for web-server document root and mail-spool, etc. I just wanted
> to collect some ideas to ensure that i don't overlook something when I set
> up the partitions.
> Nikolai

There _are_ security-related issues regarding disk partitioning, so you're
not off base to ask the question to this list, IMO.

Basically, you have to consider how your server can be exposed to possible
Denial of Service attacks by having user- or outsider-writable
sections on the filesystem together with critical parts of the OS
or logs. One precaution would have a seperate partition for /var,
seperating the email and printing spool files from the root
partition. You should probably also have a seperate /tmp partition, since
it's world-writable. It might even make sense to have a seperate /var/log
partition so that system logs aren't compromised by a possible email DoS
(even better: log to a remote system). If you're running anything where
size can vary wildly (like Usenet news) it's a good idea to put it on a
seperate partition. If you've got user accounts on the machine it's
probably a good idea to put them in a seperate partition so they don't
accidentally (or on purpose) fill up a crucial partition. If you have any
world-writable anonymous FTP areas (bad idea but perhaps unavoidable)
you'd want them in a partition where you couldn't be DoSed by somebody
dumping a bunch of warez on you.

My basic partition scheme is generally a variation of this:


plus usually a /usr partition since that's where most of the software
lives (so I usually end up adding disks to this partition),
plus partitions for special software, such as Oracle or Usenet news,
plus sometimes /usr/local if I have a lot of local stuff such as a big
httpd root.

Hope this helps,

John Ritchie

< Previous Next >
Follow Ups