Loading ...The importance of Linux partitions
In general, many new Linux sys admin create only two partitions / (root) and swap for entire hard drive. This is really a bad idea. You always need to consider following points:
(1) Performance
(2) Security
(3) Stability
(4) Backup
Let us assume you have 120 GB SCSI hard disk with / and swap partitions only. One of user (may be internal or external or cracker user) runs something which eats up all hard disk (DoS attack). For example, consider following tiny script that user can run in /tmp directory:
#!/bin/sh
man bash > $(mktemp)
$0
Anyone can run above script via cron (if allowed), or even with nohup command:
$ nohup bad-script &
Result is disaster as my entire file system comes under Denial of Service attack. It will even bypass the disk quota restriction. One of our Jr. Linux sys admin created only two partition. Later poorly written application eats up all space in /var/log/. End result was memo for him (as he did not followed internal docs that has guidelines for partition setup for clients server). Bottom line create partition as follows:
/ - Root partition
/home - Users home directory
/usr - Linux/BSD binary programs are installed here
/tmp - Temporary files partition
/var - Stores files which keep changing size, e.g. log, or squid caching files
If you don't have partitions like this then following attack can take place:
1) Denial of Service attack against disk space (see above example script)
2) Users can download or compile SUID programs in /tmp or even in /home
3) Performance tunning is not possible
4) Mounting /usr as read only not possible to improve security
5) All of this attack can be stopped by adding following option to /etc/fstab file:
nosuid - Do not set SUID/SGID access on this partition
nodev - Do not character or special devices on this partition
noexec - Do not set execution of any binaries on this partition
ro - Mount file system as readonly
quota - Enable disk quota
Please note that above options can be set only if you have separate partitions. Make sure you create partition as above with special option set on each partition
/home - Set option nosuid, and nodev with diskquota option
/usr - Set option nodev
/tmp - Set option nodev, nosuid, noexec option must be enabled
For example entry in /etc/fstabe for /home should read as follows:
/dev/sda1 /home ext3 defaults,nosuid,nodev 1 2
Here is mount command output from one of my OpenBSD production server:
/dev/wd0a on / type ffs (local) /dev/wd1a on /home type ffs (local, nodev, nosuid, with quotas) /dev/wd0d on /root type ffs (local) /dev/wd0e on /usr type ffs (local, nodev) /dev/wd0f on /tmp type ffs (local, nodev) /dev/wd0h on /var type ffs (local, nodev, nosuid) /dev/wd0g on /var/log type ffs (local, nodev)
For more info please read man pages of fstab, mount, fdisk.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Resize Windows Partition with Open Source Software
- How do I Read ext2 or ext3 filesystems under Windows 2000 or XP Desktop?
- Re-read the partition table without rebooting Linux system
- Understanding UNIX / Linux file system
- Download of the day: Super Grub Disk to fix Windows and Linux boot problems
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: dos attack, hard drive, linux partition, performance, scsi hard disk, swap partitions, tmp directory, unix partition
You did mention nodev, nosuid, noexec for /tmp (for /var/ and /var/log it’s a good idea too) but the output from your production server does not show some these settings. So why?
polarizers 2cent
Yup we do have nodev, nosuid, with quotas enabled on /home and /var partitions.
/dev/wd1a on /home type ffs (local, nodev, nosuid, with quotas)
/dev/wd0h on /var type ffs (local, nodev, nosuid)
However on /tmp it is only nodev enabled and not nosuid. This is OpenBSD box. And rest of the services are chrooted i.e. www and ftp and /tmp is very small system around
(1) Performance
(4) Backup
Nothing in your article about them.
Tudor,
(4) Backup
You can easily dump and restore /home partition without touching rest of file system.
(1) Performance
You can easily disable or enable few properties for performance such as disable file creation update time on /var partition or database partition to save disk I/O.
Above are two prime examples.
Appreciate your post.
[...] The importance of Linux partitions [...]
If noexec is enabled in /var, then it can create problem to cgi-bin scripts which are normally stored in /var/www/cgi-bin