On Sun, Aug 17, 2003 at 09:48:01AM +0200, Christian Sch?fer wrote: > hi gentoo-user, > > I wonder what would be the best partition layout for a really secure > and performant system (running as router/server). > > current layout: > /boot not mounted > / readonly > /usr/local readonly > /var r/w > /tmp r/w > /usr/portage r/w
/ rw /usr ro,nodev /opt ro,nodev /var rw,nodev /tmp rw,noexec,nosuid,nodev /home rw,nosuid,nodev /boot noauto,ro,nosuid Due to bad design of some system programs you need / to be mounted rw at boot :-(. It should be possible to later remount / as ro, but you certainly can't do it at boot. If you are certain you aren't going to run anything that puts suid code in /var, then add nosuid there. qmail, vpopmail and a few other programs do put suid code in /var, so I don't suggest it by default. The noexec on /tmp will save you from a LOT of trouble, as the great majority of rootkits try to run from there. On the other hand, it will break some scripts (the livecd creation script for eg), so YMMV. For security, i'd suggest you take a look at the Gentoo SELinux stuff. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgp00000.pgp
Description: PGP signature
