Just to expound on points #1 and #2 above:
One of the major reasons to have different partitions, that I haven’t seen explicitly mentioned here, is that it really helps with system security. Indeed, mounting /usr (and as many other partitions as possible) read only is one of the best things you can do for your system. Not only does it prevent file permission problems (as GoRK rightfully mentioned), but there is probably a good chance that it will stop script kiddies from easily taking over your entire system. I only say this because I’m expecting the average h4x0r or worm not to know how to deal with such things. Of course, this may not be a valid assumption.
More importantly, there are an entire class of vulnerabilities that can be prevented by keeping things on different partitions. To oversimplify a bit, most of the `race conditions’ that one hears about can be thawarted by partitioning.
Here’s why. If some program has an exploitable race condition, it can often be exploited by making a hard link (with the `ln’ command) to some other file, say in /etc. Then the malicious user can overwrite, say, your /etc/passwd file, at best causing a denial of service attack (as no one will be able to log in), at worst gaining root access. If /tmp is on it’s own parition, however, it can only be used to overwrite other files in /tmp.
Every directory that users (i.e. not root) have write access to should be on a different partition than all of your programs (/usr, /bin, /sbin …) and configuration files (/etc). This, combined with mounting everything possible as read-only, is the first step to really securing a UNIX system.
(Incidently, if you do decide to mount /usr as read only, check out this
for information on how to make apt automatically
re-mount it rw and ro again.)
Keeping everything on seperate partitions will also allow you to use some of the more paranoid mounting flags, such as nodev and nosuid. Since there’s *usually* no reason for anyone to be creating devices anywhere except /dev, and almost never a reason for there to be setuid binaries in /tmp or /var, you can make it even more difficult for someone to break into your system. Note that many script kiddy ready exploit scripts on the Internet try to do things like create a setuid root shell in /tmp. Also, be very careful about settings these flags– some programs do need devices in wierd places.
I realize after rereading what I’ve written that
it’s not really oriented twoard the new UNIX user or admin. Some of the topics I’ve only briefly glossed over, such as race conditions, can get
pretty complex and there are much better explinations of how they work already out there.
That said, as far as a home system goes, it really depends on how secure you want to be vs. ease of use. All of this paritioning does tend to make life a pain in the ass when you need to download that 4GB file but only have 3.5 GB availabile in /home and 3.5 GB available in /var 🙂 But for a server it’s invaluable.