yeah one knows sometimes making fun of distributions that have a partition for every /root/folder but well yes it has it’s reasons, like when a program accumulates to much data (mailbox full), the /root partition and the system will not be affected.


uname -a; # tested with
Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux

GNU Parted 3.1
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: Msft Virtual Disk (scsi)
Disk /dev/sda: 136GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system     Flags
 1      1049kB  2155MB  2154MB  primary  linux-swap(v1)  type=82
 2      2155MB  45,1GB  43,0GB  primary  btrfs           boot, type=83
 3      45,1GB  136GB   91,3GB  primary  xfs             type=83

df -Th
Dateisystem    Typ      Größe Benutzt Verf. Verw% Eingehängt auf
devtmpfs       devtmpfs  484M       0  484M    0% /dev
tmpfs          tmpfs     492M     80K  492M    1% /dev/shm
tmpfs          tmpfs     492M     15M  478M    3% /run
tmpfs          tmpfs     492M       0  492M    0% /sys/fs/cgroup
/dev/sda2      btrfs      41G    6,2G   34G   16% /
/dev/sda2      btrfs      41G    6,2G   34G   16% /.snapshots
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/tmp
/dev/sda2      btrfs      41G    6,2G   34G   16% /srv
/dev/sda2      btrfs      41G    6,2G   34G   16% /boot/grub2/x86_64-efi
/dev/sda2      btrfs      41G    6,2G   34G   16% /boot/grub2/i386-pc
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mailman
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/crash
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/pgsql
/dev/sda2      btrfs      41G    6,2G   34G   16% /usr/local
/dev/sda2      btrfs      41G    6,2G   34G   16% /tmp
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/cache
/dev/sda2      btrfs      41G    6,2G   34G   16% /opt
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/named
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/log
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/machines
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/spool
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/opt
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/libvirt/images
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mariadb
/dev/sda2      btrfs      41G    6,2G   34G   16% /var/lib/mysql
/dev/sda3      xfs        85G    1,2G   84G    2% /home
tmpfs          tmpfs      99M     20K   99M    1% /run/user/1000


guess one can assume if someone gains physical access to your server – there is no way to stop not becoming root (in BIOS 1) disable all removable boot devices such as CD/DVD-ROM, USB-Drive 2) set BIOS password.)

some say it is important to mount with special options to prevent things like:

Because access to the underlying device is controlled only by file permissions by default, so if your USB stick contains a POSIX filesystem with a world-writable device node corresponding to a real device in the system, you can use that device node to access the corresponding device as a “plain” user.

Imagine a device corresponding to one of the audio devices, your webcam, /dev/sda (which is a block device rather than a character device, but the argument is the same), or /dev/mem

Here’s an example to make things clearer.

Say you want to access /dev/mem (then you can pretty much do anything you want, including become root).

On your target system, ls -l /dev/mem shows

crw-r-----  1 root kmem      1,   1 Sep  8 11:25 mem

This means /dev/mem is a character device (the c at the beginning of the line), with major number 1 and minor number 1 (the 1, 1 in the middle of the line).

The device is only accessible to root (read/write) and members of the kmem group (read-only).

Now imagine on this system you can’t become root but for some reason you can mount USB sticks as a user without nodev.

On another system, where you are root, you can create a corresponding special file on your USB key:

mknod -m 666 usermem c 1 1

This will create a special file called usermem, readable and writable by everyone.

Mount the key on your target system and hey presto, you can use the usermem device in the same way as /dev/mem, but with no access restriction…

why would you have billions of partitions?

  • Ease of use – Make it easier to recover a corrupted file system or operating system installation.
  • Performance – Smaller file systems are more efficient. You can tune file system as per application such as log or cache files. Dedicated swap partition can also improve the performance (this may not be true with latest Linux kernel 2.6).
  • Security – Separation of the operating system files from user files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques.
  • Backup and Recovery – Easier backup and recovery.
  • Stability and efficiency – You can increase disk space efficiency by formatting disk with various block sizes. It depends upon usage. For example, if the data is lots of small files, it is better to use small block size.
  • Testing – Boot multiple operating systems such as Linux, Windows and FreeBSD from a single hard disk.
File systems that need their own partitions
Partition Purpose
/usr This is where most executable binaries, the kernel source tree and much documentation go.
/var This is where spool directories such as those for mail and printing go. In addition, it contains the error log directory.
/tmp This is where most temporary data files stored by apps.
/boot This is where your kernel images and boot loader configuration go.
/home This is where users home directories go.

If you do not have a partition schema, than following attacks can take place:

  1. Runaway processes.
  2. Denial of Service attack against disk space (see above example script).
  3. Users can download or compile SUID programs in /tmp or even in /home.
  4. Performance tuning is not possible.
  5. Mounting /usr as read only not possible to improve security.
  6. All of this attack can be stopped by adding following option to /etc/fstab file:
  • nosuid – Do not set SUID/SGID access on this partition
  • nodev – Do not character or special devices on this partition
  • noexec – Do not set execution of any binaries on this partition
  • ro – Mount file system as readonly
  • quota – Enable disk quota

Please note that above options can be set only, if you have a separate partition. Make sure you create a partition as above with special option set on each partition:

  • /home – Set option nosuid, and nodev with diskquota option
  • /usr – Set option nodev
  • /tmp – Set option nodev, nosuid, noexec option must be enabled


liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!