[Novalug] To partition or not? Should /usr be separate prttn.?
James Ewing Cottrell 3rd
JECottrell3@Comcast.NET
Sat May 30 02:07:22 EDT 2009
There is always a tradeoff between Security and Usability. If you are
Paranoid, go ahead and lock everything down. But I am tired of working
on crippled systems and having to work around not having things that
should be there. Only those who are Insecure obsess with Security.
Note that I said obsess. I take reasonable precautions, but in general I
believe in "Open Systems". As open as possible.
I need to write to /usr too; yum or apt-get for example.
Even so, if you REALLY want to make /usr read only, then go the extra
mile and make / read only too. Just make them one filesystem.
I throw up every time I see initialization code that has to dance around
the fact that /usr might not be mounted. It's even worse give the fact
that very few people, even vendors, write decent shell scripts.
JIM
P.S. Strictly speaking, you'd need to remount (-o remount,rw and -o
remount,ro) your filesystems, not unmount/mount.
Paul D. Bain wrote:
> jecottrell3@comcast.net wrote:
>>
>> You need a different /boot if / is on a more complex FS such as RAID.
>> Otherwise, just make it part of /. And NEVER make /usr a separate
>> filesystem. That's Old School Thinking at it's Worst.
>
> Jim,
>
> Six or seven years ago (at least), I read an article on OReilly.com
> that addressed this issue from the perspective of information security
> ("Info Sec"). The author of that article stated that /usr should always
> be a separate partition so that it could be mounted read-only. Why?
> Because, according to the author (cannot recall his name), nearly all
> rootkits need to be able to write to /usr. If the rootkit cannot write
> to /usr, then it cannot escalate the cracker's privileges, preventing
> the cracker from gaining superuser privileges. I thought that this was
> good advice. Of course, you would need to unmount and re-mount /usr
> *every single time* that you wanted to patch your system by downloading
> the latest security patches, thus:
>
> # aptitude update
> # aptitude safe-upgrade
>
> IOW, implementing this security measure would be a royal PITA -- unless
> there were a way to automate the process so that you would not have to
> manually unmount and re-mount, etc.
>
> Caveat: I am neither an Info Sec expert nor a partitioning expert.
>
> -- Paul Bain
>
>> ----- Original Message ----- From: "Megan Larko" <larkoc@iges.org> To:
>> "dclug" <dclug@calypso.tux.org>, "NOVALUG"
>> <novalug@calypso.tux.org> Sent: Thursday, May 28, 2009 1:30:56 PM GMT
>> -05:00 US/Canada Eastern Subject: [Novalug] For discussion: better to
>> partition or not partition?
>
>> So my question to the group is---
>>
>> Given an entire physical device to be used, what benefit, if any, is
>> conferred upon the admin/user/system by partitioning the device prior
>> to formatting compared with not partitioning the physical device and
>> just formatting the entire unit?
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.339 / Virus Database: 270.12.46/2142 - Release Date: 05/29/09 17:53:00
>
More information about the Novalug
mailing list