Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can someone give a good/suitable/recommended reasons why for a server it is good to have the / (root) on its own partition amongst /var & /usr also being on seperate partitions?
I am being asked this question, and honestly cannot think of one apart from to stop any installed docs/applications of using up the free space.
I do it so that I can control the partitions separately. The / partition can be mounted read only so that things don't get accidentally changed. Other partitions can be mounted with options specific to my needs as well as to stop a filled /var partition (for example) from max'ing out my available drive space.
I have my /tmp partition mounted rw,noexec,nosuid,nodev, my /var partition mounted rw and my /home partition mounted rw,nosuid,nodev. Some of my partitions are encrypted, some are not. Using separate partitions allows me to be more fine grained in my approach. For some people that's useful, other people don't use their box in a way that requires them to do that.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
another example would be putting /boot on a separate partition because some older hardware requires the boot loader to be in the first couple hundred megs of the drive, thus putting a 100 meg /boot partition at the start of the drive allowed larger hard drives on older hardware that would otherwise not support them natively, such as a 100 gig hard drive on an old 486, even though the bios cant see the full 100 gigs it CAN see a 100 meg partition at the start of the drive where you put /boot (the kernel, initramfs, grub.conf etc..) and linux takes care of the rest
I use linux now some 11 years for work and found no reason to do so.
but I do put my own stuff on a totally separate partition to make sure I can reformat and reinstall all system without changing / loosing my own data.
hans51, you probably think of home computers, not servers.
This question is often asked. Here's the answer, to my knowledge:
/ can't be said to be on a “separate” partition; it is the one mandatory partition you can't do without in Unix/Linux.
/tmp and /var have data that change a lot over time, and them being apart from / makes sure the root partition does not fill up, which would result in an instable system.
/usr contains mostly static data. It can still be usefull to set it on its own partition, if you intend to mount it remotely, as is sometimes done for X terminals. That rarely applies to servers, unless some common applications are configured for a group of similar servers.
And then, as gilead said, each partition can be mounted with its own option, which may be handy for security.
Can someone give a good/suitable/recommended reasons why for a server it is good to have the / (root) on its own partition amongst /var & /usr also being on seperate partitions?
I am being asked this question, and honestly cannot think of one apart from to stop any installed docs/applications of using up the free space.
If the server is used at home by one person, it doesn't really matter. If the server is used by many people, then it is very important to separate as much a possible. /var is used by user applications to store logging and database files etc. /var and /tmp are constantly filling up. This can cause a server to crash if you have a single partition. To prevent the root partition from filling up, the partitions that grow s/b on their own. The best practice is to isolate users and applications from the root partition as much as possible. This will also allow you to update, reformat and re-install without effecting user data.
hans51, you probably think of home computers, not servers.
This question is often asked. Here's the answer, to my knowledge
Yves.
I did NOT think of home PC
I operate 3 servers plus 2 laptops
with /
and no separate partition for /usr nor /tmp nor /var nor other OS relevant stuff
only the production part is on separate partitions / drives - all system part on /.
But there might be other situations where other methods might work better.
/var and /tmp filling up are two good reasons; you don't want this to stop you doing the necessary maintenance on the server
if you don't separate partitions, you can't get individual control of mount options and formats (is the appropriate file type for the partition with multi-terabyte database files the same as the appropriate one for /var?, do you want to take the same approach to journalling and, eg, atime?)
being able to mount particular partitions noexec is said to have security advantages...I can't say I've personally seen an exploit that this would have prevented, but having more security than you need is never bad
you can lay the partitons out to optimise the use of speed of your disks; for most servers there is a lot of disk space, but not all of it needs the highest performance, so it makes sense to ensure that the bits that need to highest performance are on the fastest disks or the fastest area of the disk
partitions that intentionally grow over time might be best separate to ease eventual upgrades (adding extra physical disks, although this is already easier with a Unix-style layout than with some other systems)
having /home separate is always good news when it comes to OS upgrades and particularly if you have the home dirs of many users on it, because then it might be quite large
sorry if I have repeated points already mentioned (partic gilead), but I was trying to give a simple-to-read list, not all of which are going to be applicable in any one situation.
Theoretical answer:
(just to answer the curiosity of morphix)
***As above
Practical answer:
(for anyone else who is installing)
***If you you dont see the reason, then you probably dont need to.
Summary:
***If your server is doing nothing (not intensive usage), and you dont care about security and perfomance, and you dont care about downtime (your environment is somewhat small and not mission critical, where you can plug unplug at will), and your servers are static (no upgrading of software or hardware) the why should you worry yourself!!
Here is a great example of the security benefits in distributing your file system over multiple partitions:
(not my words ; original page here -> http://antionline.com/showthread.php?t=232655 )
Quote:
Good Linux security starts with a little planning during the installation. If your partitioning scheme is poorly planned, your shiny new Linux installation may not perform to its full potential, or worse - leave holes in your system that attackers may be able to exploit.
Many users coming from the Microsoft world are unaware of the implications of drive partitioning, because Microsoft products generally use one large partition for everything. Many new users tend to want to throw everything on one Linux partition because that's what they're used to, but this is a dangerous line of thinking. In order to be proficient in Linux, new users must unlearn a lot of bad habits encouraged by Microsoft.
Windows typically mounts drive partitions as new drive letters (i.e., C:, D:, E:, etc.). Linux, on the other hand, seamlessly mounts drive partitions as directories in the tree, so the Linux file system may invisibly span as many disks and partitions as desired. The advantages to this method are twofold: 1) user-writable directories like /home and /tmp can be kept separate from the rest of the system to protect the integrity of the root file system, and 2) partitions can be mounted with different options to restrict access for different purposes.
Any directory that will be written to with any regularity - and especially if ordinary users will have write permission - should be placed on a separate partition. User-writable partitions like /home /var and /tmp have a tendency to fill up with junk, and if they do so on the same partition as the system root they can destabilize or crash the system. This is the basis for many basic kinds of Denial of Service (DoS) attacks like mail-bombing. If /var is on its own partition it will simply fill up with the junk until nothing more can be written, but the system root will be untouched. Ideally, once the box is configured and running, /tmp /var /usr and /home should each be on a separate partition, leaving the partition containing / /bin /etc /lib and /sbin (which must be together - don't get carried away with this ) essentially read-only.
A reasonable partitioning scheme based on the above principles might look like this:
Linux also allows partitions to be mounted with various options that will restrict access to it in a number of ways. They are specified in the /etc/fstab file and are as follows:
nosuid - will ignore the SUID bit on binaries
noexec - will prevent any binaries or scripts from executing from this partition
nodev - ignores devices
These options help to prevent undesirable access by attackers, malicious code like viruses and worms, and clumsy users. Edit the relevant lines of the /etc/fstab file and add the options nodev, nosuid, and noexec as follows:
This configuration will not stop a skilled attacker, because these restrictions can be bypassed via an indirect path. But since many script kiddie exploits are designed to run directly from /tmp, setting the noexec option on it will stop most of them cold. There's no good reason for programs to be running from /tmp, anyway. It's generally not a good idea to set the noexec option on /var, because doing so will probably break some applications that need it to function properly (i.e., certain package management systems, like RPM).
Last edited by insomina; 03-20-2009 at 10:02 AM.
Reason: url link
has got to do with security ... not against viruses, they're pretty much inconsequential, but against stupidity ... linux is very powerful, but easily messed up by people who have little or no background ... root is usually used for the system and software, while /usr, /home, etc. can be setup with limited access to the root-files ... it's comparable to administrater and user in windows, just that a root partition adds an additional layer of protection by separating user and system files physically ... theo
p.s. windows drive C:, E: etc are not actual partitions, those you would have to create with programs like paragon partition manager, but only mount points ... /var, /home are actual partition created during installation ... theo
Last edited by fenriswoolf; 03-20-2009 at 08:51 AM.
has got to do with security ... not against viruses, they're pretty much inconsequential..
not my words.. simply quoted the link and the information on that page
Quote:
Originally Posted by fenriswoolf
p.s. windows drive C:, E: etc are not actual partitions, those you would have to create with programs like paragon partition manager, but only mount points ... /var, /home are actual partition created during installation ... theo
this doesn't make much sense, drive letters in windows can represent a magnitude of devices and resources... further from this you can quite easily assign partitions of different file systems to drive letters in windows regardless of the disk tools or os you used to create them (pre or post os installation).. maybe this isn't what you were saying; its unclear.
however my only words stated were :
Quote:
Originally Posted by insomina
Here is a great example of the security benefits in distributing your file system over multiple partitions:
(not my words ; original page here -> http://antionline.com/showthread.php?t=232655 )
I feel that the security implications for a server would tend to be the most significant advantage of a distributed file system and gilead (and theYinYeti noted) was the only one who had specifically specified this concern; i simply expanded his help with a relevant uri.. Hope this was useful..
Maybe this idea has been implied by many of the things previously stated, but i haven't heard it stated right out. One of my major reasons is data integrity. If your data (static or dynamic) is compartmentalized, it is a lot easier to recover data separated in intact partitions when another partition is on the fritz due to corruption of data, bad sectors, or something more serious.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
simply quoted the link and the information on that page
