[Novalug] To partition or not? Should /usr be separate prttn.?

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Sat May 30 02:07:22 EDT 2009


There is always a tradeoff between Security and Usability. If you are 
Paranoid, go ahead and lock everything down. But I am tired of working 
on crippled systems and having to work around not having things that 
should be there. Only those who are Insecure obsess with Security.

Note that I said obsess. I take reasonable precautions, but in general I 
believe in "Open Systems". As open as possible.

I need to write to /usr too; yum or apt-get for example.

Even so, if you REALLY want to make /usr read only, then go the extra 
mile and make / read only too. Just make them one filesystem.

I throw up every time I see initialization code that has to dance around 
the fact that /usr might not be mounted. It's even worse give the fact 
that very few people, even vendors, write decent shell scripts.

JIM

P.S. Strictly speaking, you'd need to remount (-o remount,rw and -o 
remount,ro) your filesystems, not unmount/mount.

Paul D. Bain wrote:
> jecottrell3@comcast.net wrote:
>>
>> You need a different /boot if / is on a more complex FS such as RAID.
>> Otherwise, just make it part of /. And NEVER make /usr a separate
>> filesystem. That's Old School Thinking at it's Worst.
> 
> Jim,
> 
>     Six or seven years ago (at least), I read an article on OReilly.com 
> that addressed this issue from the perspective of information security 
> ("Info Sec"). The author of that article stated that /usr should always 
> be a separate partition so that it could be mounted read-only. Why? 
> Because, according to the author (cannot recall his name), nearly all 
> rootkits need to be able to write to /usr. If the rootkit cannot write 
> to /usr, then it cannot escalate the cracker's privileges, preventing 
> the cracker from gaining superuser privileges. I thought that this was 
> good advice. Of course, you would need to unmount and re-mount /usr 
> *every single time* that you wanted to patch your system by downloading 
> the latest security patches, thus:
> 
>     # aptitude update
>     # aptitude safe-upgrade
> 
> IOW, implementing this security measure would be a royal PITA -- unless 
> there were a way to automate the process so that you would not have to 
> manually unmount and re-mount, etc.
> 
>     Caveat: I am neither an Info Sec expert nor a partitioning expert.
> 
> -- Paul Bain
> 
>> ----- Original Message ----- From: "Megan Larko" <larkoc@iges.org> To: 
>> "dclug" <dclug@calypso.tux.org>, "NOVALUG"
>> <novalug@calypso.tux.org> Sent: Thursday, May 28, 2009 1:30:56 PM GMT
>> -05:00 US/Canada Eastern Subject: [Novalug] For discussion: better to
>> partition or not partition?
> 
>> So my question to the group is---
>>
>> Given an entire physical device to be used, what benefit, if any, is
>> conferred upon the admin/user/system by partitioning the device prior
>> to formatting compared with not partitioning the physical device and
>> just formatting the entire unit?
> 
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
> 
> 
> ------------------------------------------------------------------------
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.339 / Virus Database: 270.12.46/2142 - Release Date: 05/29/09 17:53:00
> 




More information about the Novalug mailing list