Debian Planet








Welcome to Debian Planet

Search

All your woody are (not quite, but very very very soon) belong to us.
Main Menu

  • Home

  • Topics

  • Web Links

  • Your Account

  • Submit News

  • Stats

  • Top 10

  • Debian

    These are important Debian sites one should not be without!

  • Official Debian site

  • Package search

  • Mailing list archives

  • Bug reports

  • Debian on CD

  • Unofficial woody CD ISOs

  • Unofficial APT sources

  • Developers’ Corner

    Other great Debian news sources:

  • Debian Weekly News

  • Kernel Cousin Debian

    (Debian mailing lists digested)
  • Community Groups

    Need help? You’re not alone on this planet.

  • debianHELP

    (User support site)

  • Debian International

  • DebianForum.de

    (Deutsch)

  • EsDebian

    (español)

  • DebianWorld

    (français)

  • MaximumDebian

    (Italiano)

  • DebianUsers

    (Korean)

  • Debian-BR

    (Português)

  • IRC

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.debian.org.

    Many of the Debian Planet staff live there so pop by and say hello.

    Wanna write?

    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you’ve written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    Sponsorship

    DP is sponsored by Xinit Systems and kieser.net.

    Domains paid for and hosted by uklinux.net.

    Buy your Debian merchandise at DebianShop.com.

    Who’s Online

    There are currently, 95 guest(s) and 5 member(s) that are online.

    You are Anonymous user. You can register for free by clicking here.

      
    Threshold


    The comments are owned by the poster. We aren’t responsible for their content.

    Re: Partitioning tips (Score: 2, Interesting)
    by ChuukNoris on Wednesday, April 03 @ 21:11:23 BST
    (User Info)

    Just to expound on points #1 and #2 above:

    One of the major reasons to have different partitions, that I haven’t seen explicitly mentioned here, is that it really helps with system security. Indeed, mounting /usr (and as many other partitions as possible) read only is one of the best things you can do for your system. Not only does it prevent file permission problems (as GoRK rightfully mentioned), but there is probably a good chance that it will stop script kiddies from easily taking over your entire system. I only say this because I’m expecting the average h4x0r or worm not to know how to deal with such things. Of course, this may not be a valid assumption.

    More importantly, there are an entire class of vulnerabilities that can be prevented by keeping things on different partitions. To oversimplify a bit, most of the `race conditions’ that one hears about can be thawarted by partitioning.

    Here’s why. If some program has an exploitable race condition, it can often be exploited by making a hard link (with the `ln’ command) to some other file, say in /etc. Then the malicious user can overwrite, say, your /etc/passwd file, at best causing a denial of service attack (as no one will be able to log in), at worst gaining root access. If /tmp is on it’s own parition, however, it can only be used to overwrite other files in /tmp.

    Every directory that users (i.e. not root) have write access to should be on a different partition than all of your programs (/usr, /bin, /sbin …) and configuration files (/etc). This, combined with mounting everything possible as read-only, is the first step to really securing a UNIX system.

    (Incidently, if you do decide to mount /usr as read only, check out this
    thread

    for information on how to make apt automatically
    re-mount it rw and ro again.)

    Keeping everything on seperate partitions will also allow you to use some of the more paranoid mounting flags, such as nodev and nosuid. Since there’s *usually* no reason for anyone to be creating devices anywhere except /dev, and almost never a reason for there to be setuid binaries in /tmp or /var, you can make it even more difficult for someone to break into your system. Note that many script kiddy ready exploit scripts on the Internet try to do things like create a setuid root shell in /tmp. Also, be very careful about settings these flags– some programs do need devices in wierd places.

    I realize after rereading what I’ve written that
    it’s not really oriented twoard the new UNIX user or admin. Some of the topics I’ve only briefly glossed over, such as race conditions, can get
    pretty complex and there are much better explinations of how they work already out there.
    That said, as far as a home system goes, it really depends on how secure you want to be vs. ease of use. All of this paritioning does tend to make life a pain in the ass when you need to download that 4GB file but only have 3.5 GB availabile in /home and 3.5 GB available in /var 🙂 But for a server it’s invaluable.

    Chuuk

    [ Reply | Parent ]


    Based on: PHP-Nuke

    All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2000 by Debian Planet

    You can syndicate our news using the file backend.php.