Go Back   nV News Forums > Linux Support Forums > General Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 08-15-10, 06:53 AM   #1
grey_1
Guest
 
Posts: n/a
Default A more secure install

Hi guys - just looking to verify some things I've been reading, maybe gain a tip or two. By "more secure" I'm referring to protection from loss of data through breakage rather than hardening an existing install.

It's my understanding that setting up separate partitions for /tmp and /var can protect a system if a process begins uncontrollable writes...

/home I'll have on it's own partition anyway, but for backup purposes /home and /etc are really the only *must haves*, but that backing up /etc alone doesn't preserve program updates.

Is this accurate? And would anyone mind sharing what type of partitioning scheme you use and why?

Thanks guys
  Reply With Quote
Old 08-16-10, 03:51 AM   #2
Arup
Registered User
 
Join Date: May 2009
Posts: 122
Default Re: A more secure install

In my case, all my sensitive stuff gets regularly backed up to a separate external drive. For partitioning, I use a separate partition named Data. This allows me to clean install Linux when new versions are released without loosing data. I also keep a up to date image of Ubuntu LTS via clonezilla so I can go back to it once I am done playing with other distros.
Arup is offline   Reply With Quote
Old 08-16-10, 07:30 AM   #3
grey_1
Guest
 
Posts: n/a
Default Re: A more secure install

Quote:
Originally Posted by Arup View Post
In my case, all my sensitive stuff gets regularly backed up to a separate external drive. For partitioning, I use a separate partition named Data. This allows me to clean install Linux when new versions are released without loosing data. I also keep a up to date image of Ubuntu LTS via clonezilla so I can go back to it once I am done playing with other distros.
Thanks for that.

I keep my LTS install on a separate drive atm, where I'm looking to dual boot Fedora 13 and OS11.3 on another drive, but having that backup image will come in handy, I'm sure.

But this way I can mangle my "practice" installs and configs without damaging my primary.

Right now it's all about learning the Linux file structure and what are considered "best practices" by the community.

Thanks for sharing Arup.
  Reply With Quote
Old 08-19-10, 08:47 AM   #4
wnd
Nerd, Geek, Freak
 
wnd's Avatar
 
Join Date: Sep 2005
Location: Finland
Posts: 703
Default Re: A more secure install

Quote:
Originally Posted by grey_1 View Post
protection from loss of data through breakage rather than hardening an existing install

It's my understanding that setting up separate partitions for /tmp and /var can protect a system if a process begins uncontrollable writes...

/home I'll have on it's own partition anyway, but for backup purposes /home and /etc are really the only *must haves*, but that backing up /etc alone doesn't preserve program updates.
It is indeed useful to have separate /home for number of reasons, but the rest mostly depends on your goals. Separate /home prevents you from rendering your system unusable by filling up /var, and makes it easier to make backups for data that really matters. Having a separate /tmp can also be a good idea, but from my experience it is extremely rare for size of /tmp to become a problem. If you worry about /tmp, you may also want to worry about /var/tmp, which is often used for boot-presistent temporary data.

/etc is probably the most interesting directory after /home. Backing up /etc does not automatically allow you to restore a lost system to its former self. Restoring /etc ofter requires deeper knowledge of the system. Information about (system wide) installed applications is often stored under /var/lib or such, but this is package manager and/or distribution dependant. On Debian-based systems, this information can be easily backed up, but having a copy of /var/lib is not the way. Preserving program updates is more harmful than it is useful. It is often easier and safer to restore a system with no applications than a system with broken or compromised applications.

Best practices depend on your distribution, but as for file system alone, File Hierarchy Standard is the way to go. Wikipedia links to number of webpages about distribution specific policies.

Finally, you obviously want to run backups on a separate disk, or remote host if possible. Having backups on local disk only protects from innocent accidents (e.g. rm), not from rogue applications (if mounted read-write), or kernel space and hardware failures.

My workstation basically has 32 GiB root (/) and 40 GiB home. The rest of disk is split between /wrk (~518 GiB), Windows (one 100 GiB partition), and an experimental 4 GiB partition to make it easy to play with file systems. /wrk contains non-critical data such as media and games. Only /home and /wrk/pics (i.e. user created data) are backed up. I used to separate /tmp and root filesystem, but I always ended up filling up the other. Then again, disk space is cheap.

My server, on the other hand, has the following partition layout.
Code:
/dev/mapper/vg00-root
                       2064208    215944   1743408  12% /
tmpfs                   496976         0    496976   0% /lib/init/rw
udev                     10240       724      9516   8% /dev
tmpfs                   496976         0    496976   0% /dev/shm
/dev/sda1               241116     24634    204034  11% /boot
/dev/mapper/vg00-home
                       8256952    363400   7809668   5% /home
/dev/mapper/vg00-tmp   2064208     68696   1890656   4% /tmp
/dev/mapper/vg00-usr   4128448    885184   3033552  23% /usr
/dev/mapper/vg00-var   4128448    773712   3145024  20% /var
/dev/mapper/vg00-log   2064208    128284   1831068   7% /var/log
/dev/mapper/vg00-spool
                       2064208     68772   1890580   4% /var/spool
/dev/mapper/vg00-www  82569904   5496468  75395716   7% /var/www
/dev/mapper/vg00-wrk 130852396 111108952  18414048  86% /wrk
/dev/md0             307663736 199341436  92693872  69% /raid
This layout separates critical system components (/bin, /lib, /etc, mounted under /) from security components (/var/log, also for remote workstation logging), http-server (/var/www, which also runs chrooted) and mail daemon (/var/spool) from the rest of the system. Separate /boot is mostly legacy, but it makes recovering a LVM system much easier. /raid contains RAID-1-mirrored space for workstation backups only. Running backups to such a system is dangerous, but considering current options that's the best I have. /wrk can be remotely mounted and is shared for intra. Technically this layout would allow me to run most of the filesystems read-only, but so far I've been lacking the motivation.
__________________
web | cat

Christianity, noun: The belief that a cosmic Jewish Zombie who was his own father can make you live forever if you symbolically eat his flesh and telepathically tell him you accept him as your master, so he can remove an evil force from your soul that is present in humanity because a rib-woman was convinced by a talking snake to eat from a magical tree. [mad.frog]
wnd is offline   Reply With Quote
Old 08-19-10, 10:15 AM   #5
grey_1
Guest
 
Posts: n/a
Default Re: A more secure install

Hi wnd - long time no see, hope you're doing well!

Thank you, thank you. You just answered my questions perfectly.

My goal as stated is simply to learn best practices while becoming more familiar with the file hierarchy standard. Right now I'm simply learning the basics e.g. structure, commands, repairing an install (which I create plenty of opportunity accidentally... )...

Soon I hope to have a server with 2 remote (just laptops) networked, which is where I'll begin to delve into the material you're touching on here.

Fantastic - thank you again!
  Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 08:29 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.