[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE webserver

Hash: SHA1

nordi wrote:
| John Richard Moser wrote:
|  > I don't see the need for 7 partitions, if you use journaling.
| The reason for using several partitions is not that they can be checked
| faster. This is done for increased security through special mount
| options and to prevent local DoS attacks. But read on.
|  > For /tmp, use a tmpfs:
| [...]
|  > I use a 2G tmpfs with a 2G swap and 768M physical ram.
| Which will make it easy to overload your machine if you don't use quotas
| + a specifically hardened kernel. A local attacker can fill up your 2GB

Ok local attacker loses his account and gets fired.  Still no chance of
lamers coming in from the web server.

| of /tmp, which means your RAM is full and 1.5GB of swap in use. This is
| going to be _really_ bad for your perfomance (=DoS). This is no concern
| for your dev-box at home, but for a webserver this is can be a serious
| issue.
|  > /usr and /usr/local I'd think could be the same; if you break the
|  > system, you have to do a full reinstall anyway to rewrite the binaries
|  > even though you could keep your configuration.
| I think the point behind putting /usr/local/ on a seperate partition is
| that you can mount /usr as read only (maybe even mount it from a remote
| host if you have many boxes!). As most files are located there, yet they
| hardly ever need to be changed, this is a good idea. Stuff that is
| specific for this box can then be placed in /usr/local.

Ahh, neat.

| In addition to using several partitions, /etc, /var, /home and /tmp
| should be mounted with "nodev" and "nosuid" options. /usr/local should
| at least have the "nodev" option set

Yeah, nice.

| nordi

Thanks for the clarification.  I'm mostly into things like PaX and stack
smash protection, proper coding, and a little access control.  The whole
nosuid-nodev thing I tend to overlook, as I'd expect SELinux or RSBAC to
be used for that, or for mknod() or chmod()+s to just be denied to
non-root users.  I also use journaled filesystems (reiserfs), and think
that a filesystem should be seen as 'clean' if it came down when there
was nothing to be flushed to it and no files open.

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here