Subject: Re: Preventative security features?
To: Michael van Elst <mlelstv@serpens.de>
From: Tim Kelly <hockey@dialectronics.com>
List: tech-security
Date: 11/14/2004 07:56:05
On Sun, 14 Nov 2004 11:52:37 +0000 (UTC)
mlelstv@serpens.de (Michael van Elst) wrote:

> First thing then should be to fix sysinst. It either has to work with
> smaller /tmp or has to prevent people from chosing a too small
> partition.

On my 2G disk, the default partition scheme ended up using 32M for /. It
runs about 80% full after I followed the directions of the work-around
in the PR.

> >I offer the following for discussion as a default scheme
> [...]
> >/var mounted as a write-only partition
>                    ^^^^^^^^^^
> Hopefully not :)

Actually, I retract this. My focus was intended to be on ensuring that
log files can not be altered, but making /var as a whole write-only
would cause a lot of problems.

> >[...] While most people will have their
> >own partitioning scheme, I feel that the default partition scheme
> >should be a good option out of the box.
> 
> Then we need partitioning themes.

Also part of what I am wanting to accomplish by bringing this up. I
suggested combining these into a "small" partitioning scheme that asked
the user for their likely needs, but I think the default partitioning
scheme should offer some separation of partitions. However, if no
consensus can come of this, and this is not the forum for final
discussion, I would like to see a recommended
"security-oriented" partition scheme/algorithm that would could be
offered as a theme.

tim