yeah i know i sometimes make fun of distributions that have like a partition for every /root/folder but well yes it has it’s reasons.
uname -a; # tested with Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux parted GNU Parted 3.1 Using /dev/sda Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) p Model: Msft Virtual Disk (scsi) Disk /dev/sda: 136GB Sector size (logical/physical): 512B/4096B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 1049kB 2155MB 2154MB primary linux-swap(v1) type=82 2 2155MB 45,1GB 43,0GB primary btrfs boot, type=83 3 45,1GB 136GB 91,3GB primary xfs type=83 df -Th Dateisystem Typ Größe Benutzt Verf. Verw% Eingehängt auf devtmpfs devtmpfs 484M 0 484M 0% /dev tmpfs tmpfs 492M 80K 492M 1% /dev/shm tmpfs tmpfs 492M 15M 478M 3% /run tmpfs tmpfs 492M 0 492M 0% /sys/fs/cgroup /dev/sda2 btrfs 41G 6,2G 34G 16% / /dev/sda2 btrfs 41G 6,2G 34G 16% /.snapshots /dev/sda2 btrfs 41G 6,2G 34G 16% /var/tmp /dev/sda2 btrfs 41G 6,2G 34G 16% /srv /dev/sda2 btrfs 41G 6,2G 34G 16% /boot/grub2/x86_64-efi /dev/sda2 btrfs 41G 6,2G 34G 16% /boot/grub2/i386-pc /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/mailman /dev/sda2 btrfs 41G 6,2G 34G 16% /var/crash /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/pgsql /dev/sda2 btrfs 41G 6,2G 34G 16% /usr/local /dev/sda2 btrfs 41G 6,2G 34G 16% /tmp /dev/sda2 btrfs 41G 6,2G 34G 16% /var/cache /dev/sda2 btrfs 41G 6,2G 34G 16% /opt /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/named /dev/sda2 btrfs 41G 6,2G 34G 16% /var/log /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/machines /dev/sda2 btrfs 41G 6,2G 34G 16% /var/spool /dev/sda2 btrfs 41G 6,2G 34G 16% /var/opt /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/libvirt/images /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/mariadb /dev/sda2 btrfs 41G 6,2G 34G 16% /var/lib/mysql /dev/sda3 xfs 85G 1,2G 84G 2% /home tmpfs tmpfs 99M 20K 99M 1% /run/user/1000
i guess you can assume if someone gains physical access to your server – there is no way to stop not becoming root.
some say it is important to mount with special options to prevent things like:
Because access to the underlying device is controlled only by file permissions by default, so if your USB stick contains a POSIX filesystem with a world-writable device node corresponding to a real device in the system, you can use that device node to access the corresponding device as a „plain“ user. Imagine a device corresponding to one of the audio devices, your webcam,
(which is a block device rather than a character device, but the argument is the same), or
Here’s an example to make things clearer. Say you want to access
(then you can pretty much do anything you want, including become
). On your target system,
crw-r----- 1 root kmem 1, 1 Sep 8 11:25 mem
is a character device (the
at the beginning of the line), with major number 1 and minor number 1 (the
in the middle of the line). The device is only accessible to
(read/write) and members of the
Now imagine on this system you can’t become
but for some reason you can mount USB sticks as a user without
. On another system, where you are
, you can create a corresponding special file on your USB key:
mknod -m 666 usermem c 1 1
This will create a special file called
, readable and writable by everyone.
Mount the key on your target system and hey presto, you can use the
device in the same way as
, but with no access restriction…
why would you have billions of partitions?
- Ease of use – Make it easier to recover a corrupted file system or operating system installation.
- Performance – Smaller file systems are more efficient. You can tune file system as per application such as log or cache files. Dedicated swap partition can also improve the performance (this may not be true with latest Linux kernel 2.6).
- Security – Separation of the operating system files from user files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques.
- Backup and Recovery – Easier backup and recovery.
- Stability and efficiency – You can increase disk space efficiency by formatting disk with various block sizes. It depends upon usage. For example, if the data is lots of small files, it is better to use small block size.
- Testing – Boot multiple operating systems such as Linux, Windows and FreeBSD from a single hard disk.
|/usr||This is where most executable binaries, the kernel source tree and much documentation go.|
|/var||This is where spool directories such as those for mail and printing go. In addition, it contains the error log directory.|
|/tmp||This is where most temporary data files stored by apps.|
|/boot||This is where your kernel images and boot loader configuration go.|
|/home||This is where users home directories go.|
If you do not have a partition schema, than following attacks can take place:
- Runaway processes.
- Denial of Service attack against disk space (see above example script).
- Users can download or compile SUID programs in /tmp or even in /home.
- Performance tuning is not possible.
- Mounting /usr as read only not possible to improve security.
- All of this attack can be stopped by adding following option to /etc/fstab file:
- nosuid – Do not set SUID/SGID access on this partition
- nodev – Do not character or special devices on this partition
- noexec – Do not set execution of any binaries on this partition
- ro – Mount file system as readonly
- quota – Enable disk quota
Please note that above options can be set only, if you have a separate partition. Make sure you create a partition as above with special option set on each partition:
- /home – Set option nosuid, and nodev with diskquota option
- /usr – Set option nodev
- /tmp – Set option nodev, nosuid, noexec option must be enabled