yeah i know i sometimes make fun of distributions that have like a partition for every /root/folder but well yes it has it’s reasons.

suse12

uname -a; # tested with
Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux

parted
GNU Parted 3.1
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: Msft Virtual Disk (scsi)
Disk /dev/sda: 136GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system     Flags
 1      1049kB  2155MB  2154MB  primary  linux-swap(v1)  type=82
 2      2155MB  45,1GB  43,0GB  primary  btrfs           boot, type=83
 3      45,1GB  136GB   91,3GB  primary  xfs             type=83


df -Th
Dateisystem    Typ      Größe Benutzt Verf. Verw% Eingehängt auf
devtmpfs       devtmpfs  484M       0  484M    0% /dev
tmpfs          tmpfs     492M     80K  492M    1% /dev/shm
tmpfs          tmpfs     492M     15M  478M    3% /run
tmpfs          tmpfs     492M       0  492M    0% /sys/fs/cgroup
/dev/sda2      btrfs      41G    6,2G   34G   16% /
/dev/sda2      btrfs      41G    6,2G   34G   16% /.snapshots
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/tmp
/dev/sda2      btrfs      41G    6,2G   34G   16% /srv
/dev/sda2      btrfs      41G    6,2G   34G   16% /boot/grub2/x86_64-efi
/dev/sda2      btrfs      41G    6,2G   34G   16% /boot/grub2/i386-pc
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mailman
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/crash
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/pgsql
/dev/sda2      btrfs      41G    6,2G   34G   16% /usr/local
/dev/sda2      btrfs      41G    6,2G   34G   16% /tmp
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/cache
/dev/sda2      btrfs      41G    6,2G   34G   16% /opt
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/named
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/log
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/machines
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/spool
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/opt
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/libvirt/images
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mariadb
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mysql
/dev/sda3      xfs        85G    1,2G   84G    2% /home
tmpfs          tmpfs      99M     20K   99M    1% /run/user/1000

security

i guess you can assume if someone gains physical access to your server – there is no way to stop not becoming root.

some say it is important to mount with special options to prevent things like:

Because access to the underlying device is controlled only by file permissions by default, so if your USB stick contains a POSIX filesystem with a world-writable device node corresponding to a real device in the system, you can use that device node to access the corresponding device as a „plain“ user. Imagine a device corresponding to one of the audio devices, your webcam,

/dev/sda

(which is a block device rather than a character device, but the argument is the same), or

/dev/mem

Here’s an example to make things clearer. Say you want to access

/dev/mem

(then you can pretty much do anything you want, including become

root

). On your target system,

ls -l /dev/mem

shows


crw-r-----  1 root kmem      1,   1 Sep  8 11:25 mem

This means

/dev/mem

is a character device (the

c

at the beginning of the line), with major number 1 and minor number 1 (the

1, 1

in the middle of the line). The device is only accessible to

root

(read/write) and members of the

kmem

group (read-only).

Now imagine on this system you can’t become

root

but for some reason you can mount USB sticks as a user without

nodev

. On another system, where you are

root

, you can create a corresponding special file on your USB key:


mknod -m 666 usermem c 1 1

This will create a special file called

usermem

, readable and writable by everyone.

Mount the key on your target system and hey presto, you can use the

usermem

device in the same way as

/dev/mem

, but with no access restriction…

why would you have billions of partitions?

  • Ease of use – Make it easier to recover a corrupted file system or operating system installation.
  • Performance – Smaller file systems are more efficient. You can tune file system as per application such as log or cache files. Dedicated swap partition can also improve the performance (this may not be true with latest Linux kernel 2.6).
  • Security – Separation of the operating system files from user files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques.
  • Backup and Recovery – Easier backup and recovery.
  • Stability and efficiency – You can increase disk space efficiency by formatting disk with various block sizes. It depends upon usage. For example, if the data is lots of small files, it is better to use small block size.
  • Testing – Boot multiple operating systems such as Linux, Windows and FreeBSD from a single hard disk.
File systems that need their own partitions
Partition Purpose
/usr This is where most executable binaries, the kernel source tree and much documentation go.
/var This is where spool directories such as those for mail and printing go. In addition, it contains the error log directory.
/tmp This is where most temporary data files stored by apps.
/boot This is where your kernel images and boot loader configuration go.
/home This is where users home directories go.

If you do not have a partition schema, than following attacks can take place:

  1. Runaway processes.
  2. Denial of Service attack against disk space (see above example script).
  3. Users can download or compile SUID programs in /tmp or even in /home.
  4. Performance tuning is not possible.
  5. Mounting /usr as read only not possible to improve security.
  6. All of this attack can be stopped by adding following option to /etc/fstab file:
  • nosuid – Do not set SUID/SGID access on this partition
  • nodev – Do not character or special devices on this partition
  • noexec – Do not set execution of any binaries on this partition
  • ro – Mount file system as readonly
  • quota – Enable disk quota

Please note that above options can be set only, if you have a separate partition. Make sure you create a partition as above with special option set on each partition:

  • /home – Set option nosuid, and nodev with diskquota option
  • /usr – Set option nodev
  • /tmp – Set option nodev, nosuid, noexec option must be enabled

src: https://www.cyberciti.biz/tips/the-importance-of-linux-partitions.html

admin