| View previous topic :: View next topic |
| Author |
Message |
GummyGum173
n00b
Joined: 09 Apr 2014
Posts: 50
|
 Posted: Mon Oct 06, 2014 6:23 pm Post subject: fstab flags for various partitions |
 |
|
Hello,
I have partitioned my FS, and I need some safe flags for those partitions (like someone recommended me in the past to disable exec in tmp and such things).
This is my fstab content:
| Code: | /dev/sda2 /boot ext2 defaults,noatime 0 2
/dev/sda3 none swap sw 0 0
/dev/sda4 / ext4 noatime 0 1
/dev/sda5 /usr ext4 defaults 0 2
/dev/sda6 /tmp ext4 defaults 0 2
/dev/sda7 /opt ext4 defaults 0 2
/dev/sda8 /var/tmp ext4 defaults 0 2
/dev/sda9 /var/log ext4 defaults 0 2
/dev/sda10 /home ext4 defaults 0 2
|
Thank you guys in advance  |
|
| Back to top |
|
 |
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Mon Oct 06, 2014 6:34 pm Post subject: |
|
|
Quite frequently the "noexec,nosuid" flags are applied to /tmp.
You have a lot of partitions, which can be a bear with slack space management. No matter how big the drive you start with, someday you're going to be shy of space on one partition and have plenty to spare on another.
Another good trick is to bind-mount /tmp over itself. It's not necessary when it's a separate patition, like you have. But when /tmp shares a partition, the bind-mount effectively makes it its own partition, preventing a wide class of link attacks.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
GummyGum173
n00b
Joined: 09 Apr 2014
Posts: 50
|
| Posted: Mon Oct 06, 2014 7:10 pm Post subject: |
|
|
| depontius wrote: | Quite frequently the "noexec,nosuid" flags are applied to /tmp.
You have a lot of partitions, which can be a bear with slack space management. No matter how big the drive you start with, someday you're going to be shy of space on one partition and have plenty to spare on another.
Another good trick is to bind-mount /tmp over itself. It's not necessary when it's a separate patition, like you have. But when /tmp shares a partition, the bind-mount effectively makes it its own partition, preventing a wide class of link attacks. |
That's my partitions size:
| Code: |
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 62M 21M 39M 35% /boot
/dev/sda4 3.8G 156M 3.4G 5% /
/dev/sda5 38G 4.6G 31G 14% /usr
/dev/sda6 20G 44M 19G 1% /tmp
/dev/sda7 9.8G 60M 9.2G 1% /opt
/dev/sda8 20G 49M 19G 1% /var/tmp
/dev/sda9 20G 51M 19G 1% /var/log
/dev/sda10 1008G 342M 957G 1% /home
|
As you can see,
/boot won't expand, / is very limited, I don't use it much anymore (it might expand a little with every update, but I doubt it will exceed 4GB by the time my HDD dies), /usr is problematic, though I can clean it up once in a while, the /tmps are auto cleaned and so is /log (after a long time), only expandable partition is /home, but it's so huge I doubt I will fill it by the time I switch PCs (as I also game, I tend to replace different parts every once in a while).
Anyway, I am sorry if I wasn't clear enough, but what I asked is what rules should I set to each partition for maximum security? |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Mon Oct 06, 2014 7:34 pm Post subject: |
|
|
I think you can make a pretty good argument that "nosuid" should apply to every partition except / and /usr. I'm a bit iffy about /opt on that one, but just checked the /opt of the machine I'm sitting at, and there are no suid executables in /opt/*/bin. I'm a little iffy about /var/tmp, but would start with nosuid there too.
The "noexec" would have to be more sparingly applied. For instance, many people have $HOME/bin. I would still apply "noexec" to /tmp and /var/log. I think there might be build-time cases where "temporary executables" are built in /var/tmp and then run, so I'd keep that one capable of execution.
Keep in mind this isn't "maximum security", it's simply one more thing you can do.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Roman_Gruber
Advocate
Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
|
| Posted: Mon Oct 06, 2014 10:54 pm Post subject: |
|
|
you may use lvm and use the lvm concept itself therefore you can move your free space later around.
such a layout just causes troubles as said earlier with filling up or having too much free nodes.
you may think about why do you really need such a layout in the first place at all. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Tue Oct 07, 2014 12:29 am Post subject: |
|
|
What depontius said; you can see the settings I use here.
And yeah lvm rocks; but it needs physical volumes (aka partitions) to work with in the first place. I use it extensively, and have done for years, but equally I also use separate partitions and mounts.
Running out of space on /usr or some other partition is no fun at all, when you don't have lvm. As for shoving it all in one rootfs, that just makes me laugh. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Tue Oct 07, 2014 1:04 am Post subject: |
|
|
| steveL wrote: | What depontius said; you can see the settings I use here.
And yeah lvm rocks; but it needs physical volumes (aka partitions) to work with in the first place. I use it extensively, and have done for years, but equally I also use separate partitions and mounts.
Running out of space on /usr or some other partition is no fun at all, when you don't have lvm. As for shoving it all in one rootfs, that just makes me laugh. |
Oops, I forget about "nodev". I've used lvm in the past, but it trips me up because its one of those things you seldom interact with. Then when you really need to do something, you have to go back and relearn it. I have a friend who has some distrust of it because it can scatter your data about on disk, making it harder to pick up the pieces if your data has a really bad day.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Tue Oct 07, 2014 2:15 am Post subject: |
|
|
| depontius wrote: | | I've used lvm in the past, but it trips me up because its one of those things you seldom interact with. Then when you really need to do something, you have to go back and relearn it. |
Yeah but that's what's so nice about the Unix method of plaintext .conf files in /etc. LVM is one of those things that as you say, just sits in the background and does it's job boringly well. The kind of stuff I like, as I can rely on it.
The only issues I've ever seen were because of udev and the "we don't like Unix, lol" approach.
| Quote: | | I have a friend who has some distrust of it because it can scatter your data about on disk, making it harder to pick up the pieces if your data has a really bad day. |
Well, first thing I always do is partition a large home, which is always just a straight partition on disk. When I have to switch machines because of hardware age, I use the old drive/home as a backup partition in the new box.
As for "scattered files" I feel all right about that, because a) the dm-mapper is at kernel level, and I trust Torvalds when it comes to the overall project, and b) file-systems can put data all over the shop anyway. This is at a much bigger chunk size, in order for the FS to work on top of it.
In any event, nothing will save you if you don't backup your data. Having all the data on one physical partition is not useful if the disk is fscked, or your bloated system software has trashed it because it's been coded by someone who thinks he's smarter than the rest of the world, or at least all the computer scientists of the past, whose work he relies on.
Still, I'm not an admin; it's not me who gets called out at 3am to sort out a server, tf ;-) That's what IRC is for when it comes to coding. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
