Date: Sat, 2 Aug 2003 20:42:39 -0400 (EDT) From: Jerry McAllister <jerrymc@clunix.cl.msu.edu> To: prosa@pro.sk (Peter Rosa) Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: HDDs dividing rules Message-ID: <200308030042.h730gdrR008836@clunix.cl.msu.edu> In-Reply-To: <00c501c358e6$2dcdf2e0$3501a8c0@pro.sk> from "Peter Rosa" at Aug 02, 2003 01:06:52 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> Hi all,
>
> please, could you explain for those of us, who are new to Unix,
> are there some rules for partitioning of HDDs in accordance to
> security needs ? I know, I can set nosuid+noexec on whole
> partition (slice ?), I can mount something as read-only...
> It's everything fine, but what exactly should we do ?
There are no specific rules on how you divide up your disk.
It really depends on how you will use the system. What you
need for a system only you will log in to is vastly different
from what is needed for a web site server. And that is completely
different from what you need for a system where you provide
accounts for users to log in. Plus partition sizes will depend
some on how much disk you have available.
As for security settings and procedures, the same is pretty much true.
But for each there are some minimal good ideas.
Just a note first: You seem to express a little confusion about
partition vs slice. That is a frequent problem because the
Microsoft does not follow the UNIX terminology. FreeBSD UNIX
has slices that are subdivided in to partitions. MS uses the
word partition to mean the same thing a UNIX slice then comes up
with an 'extended partition' scheme for other divisions.
Each disk can be divided in to as many as 4 main slices. Each
disk can have a Master Boot Record (MBR) that manages the boot process -
mainly allowing you to select which slice to boot from. Each slice
can have a boot block and be considered bootable. The MBR selects
a slice and transfers control to the boot block (also called a boot
loader) on the slice to continue booting.
Each UNIX slice can be divided in to as many as 8 partitions.
These subdivisions called partitions are what get mounted as
such things as '/' '/tmp' '/home' etc.
If you have two disks, each can have 4 slices and each slice can
officially have 8 partitions.
One additional note, though. By convention and expected in some
programs, some of the partitons have special uses. The '/' file
system must be an 'a' partition on a bootable slice (although the 'a'
partition doesn't have to be mounted as '/' if the slice is not the
one being booted), the 'b' partition on any slice is used for swap,
the 'c' partition is used to identify the whole slice and is otherwise
unused, the 'd' partition used to have a designated use, which now
seems to be defunct, so the 'd' partition is unused and finally
the 'e' partition is often used for '/tmp', but doesn't have to be.
So, although it is possible to divide the slice in to 8 partitions,
some of the labels ('b', 'c', 'd') are not really available making
an effective 5 partitions and on a bootable slice 'a' needs to
be root.
When you partition your FreeBSD disk slice[s] you need to make
a root file system that is large enough to hold everything
needed for bringing up the system before other stuff is mounted
and running. There is a lot of dissagreement on how much is
right because it depends a lot on what you include and what you
farm out to other file systems (partitions). You can probably
make a root system with as little as 50 - 100 MBytes if you put
most everything somewhere else. I am a little less hard core and
make one about 350 MBytes and only put /var, /usr/local and /usr/ports
somewhere else. But, convenience rates a little higher than super
maximum performance for most of my machines.
Secondly, you need some swap space. The convention is that it
should be 2 to 2-1/2 times the size of your ram, but people are
rethinking a little with the much bigger memory sizes we have nowdays.
Third, you need some tmp space. Some people put that inside some
other partition. I make a /tmp file system for it with size depending
on types of use, running from 200 MBytes to around 500 MBytes. At
least you do NOT want this to be in the roo partition because it can
suddenly grow and cause trouble with root. Plus, it must be
writable by any process that uses the machine.
Then you need some place for other things that grow such as /var.
user home directories, /usr/local and maybe /usr/ports and maybe
even /usr/src.
People treat these in different ways - sometimes making separate
partitions (File systems) for them or putting them in some big
file system and making links. The way I do it is to make
partitions for '/', '/swap', '/tmp' and a very large '/home'.
Generally '/home' takes up all the rest of the space.
Some people make that very large partition be the /usr file system
and put their user home diretories in there (typically in /usr/home).
Some even make a '/user' file system in addition to '/usr' but
that is entirely tooo messy for me.
I put all user home directories, plus /var, /usr.local, /usr/src
and /usr/ports in to it with soft links to them. That way they
can grow up to the size of /home for a short while if needed and
it gives me time to notice and whack down whatever is growing too
fast for some reason (whack down can mean fixing a problem or
telling a user to quit skrewing around and wastine space). On
some systems we have quotas running on the user accounts to keep
them in line.
As for security thing, again it depends on what you are doing.
If you are running your personal machine with no other users
the only really minimum thing you need is to run TCP Wrapper
and set it so only acceptable entities are able to reach ports
on your machine. Since tcpwrapper now is implemented by default
on recent models of FreeBSD, that is taken care of. Just tink
the /etc/hosts.allow file. You may also want to do some
stuff with firewalls, either ipfilter or ipfw. If will give you
better logging if nothing else.
Unless you are letting other people on the machine, you don't really
need to think about things like mounting partitions RO and things
like noexec, etc.
When you begin to give other people accounts to log in with or
to do write files with FTP, then you will need to learn about
such things as chroot and jail and if it gets really hard core
you may need to things about RO mounts, etc. General, Email
only accounts won't even bring that up as long as they can't
log in and get a shell.
So, have fun,
////jerry
> Everywhere I looked, I found only words as "make your
> own choice of partitioning schema" etc., but I think, there
> must be some rules.
> And what if I have an HW RAID controller. Are there some
> difficulties or differences from "normal" dividing ?
>
> Tell us, please, something like
> "Divide your HDD as follows:
> 1. create slices for /, /home, /etc ...... It's good because....
> 2. mount / as RO..............
> 3. mount /user as noexec+nosuid..........."
>
> I think & hope these rules are well-known, but one must know
> where to look for....
> I also hope, this list could be such kind of brainstorming :-))
>
> One of the best things on Unixes is they are opened.
> But one of the worst thing on Unixes is they are opened
> and it is not simple to get very clear information.
> Sorry for the trying a philosophy here :-))
>
> Best regards and many thanks.
>
> Peter Rosa
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308030042.h730gdrR008836>