|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [suse-security] partitions & mail system
From: Roman Drahtmueller (draht
uni-freiburg.de)Date: Thu Jul 06 2000 - 09:34:35 CDT
- Next message: Kurt Seifried: "Re: [suse-security] partitions & mail system"
- Previous message: Fred Mobach: "Re: [suse-security] partitions & mail system"
- In reply to: Nikolai Dahlem: "Re: [suse-security] partitions & mail system"
- Next in thread: Kurt Seifried: "Re: [suse-security] partitions & mail system"
- Reply: Roman Drahtmueller: "Re: [suse-security] partitions & mail system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> Sorry if I provided too little information. I thought about partitions as a
> manner of security, like separate partition for log-files, separate
> partition for web-server document root and mail-spool, etc. I just wanted
> to collect some ideas to ensure that i don't overlook something when I set
> up the partitions.
>
> Nikolai
>
Another hint, following the other postings:
Change the mount options for your partitions to the bare minimum needed.
/usr doesn't contain devices, but if it does anyway, nodev inhibits the
interpretation of a device file.
/ doesn't need to be writeable for users if you have a seperate /var
filesystem (you needn't have a directory writeable for users). Make sure
that you remove /tmp and create a link /tmp -> var/tmp. (It would be
advisory to create /var/tmp on the root filesystem as well!)
On some machines, where I can't symlink /tmp, I have / mounted
nosuid. This requires that the path contains /usr/bin before /bin, and
that all needed suid binaries from /bin have an equivalent in /usr
(copied, not moved!).
This is how it can look like:
/dev/sda2 on / type ext2 (rw,nosuid)
/dev/sda3 on /var type ext2 (rw,nosuid,nodev,usrquota)
/dev/sdb1 on /usr type ext2 (rw,nodev)
/dev/sdc1 on /home type ext2 (rw,nosuid,nodev,noatime,usrquota)
/dev/sda1 on /boot type ext2 (rw)
"noatime" has performance reasons. Be careful with that, it might break
things (Currently, I don't know of any...).
Roman.
-- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe
- Next message: Kurt Seifried: "Re: [suse-security] partitions & mail system"
- Previous message: Fred Mobach: "Re: [suse-security] partitions & mail system"
- In reply to: Nikolai Dahlem: "Re: [suse-security] partitions & mail system"
- Next in thread: Kurt Seifried: "Re: [suse-security] partitions & mail system"
- Reply: Roman Drahtmueller: "Re: [suse-security] partitions & mail system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]