On Wed, 16 Nov 2005, Dennis Clarke wrote:
Show me the doc or white paper that says so and why.
Chapter 1 of the Boot Disk Management Blueprint book does indeed
recommend the use of one big partition for the OS:
Over the years, there has been debate about whether it is
better to use one large file system for the entire Solaris OE,
or multiple, smaller file systems. Given modern hardware
technology and software enhancements to the UNIX" Fast File
system, the case for multiple file systems seems anachronistic.
For most cases, it is recommended to use a single slice root
(/) partition. The benefits of using a single partition / file
system are as follows:
[...]
space I can easily mount the filesystem read-only or for that matter
get completely draconian and stuff /usr into a different disk and
jumper it as read-only right on the hardware. That generally means
that nothing will get modified, symlinked or messed with until I
decide to make a system change.
The same book does, however, mention later that a hardened Solaris
installation should use a separate /usr:
For a secured, or hardened, Solaris OE installation, follow
these guidelines for file system mount options:
* Mount the /usr partition in read-only mode; however, do not
mount it nosuid as there are some commands in this file system
that require the set-user-ID bit set.
* Since writable space in /var is expected and required by many
system utilities, do not mount the /var partition in read-only
mode; only set it to nosuid.
* To ensure the greatest level of security, mount all other
partitions in read-only mode with nosuid, whenever possible.
The most ruthless reasons for this are a case where I setup a V880 for
someone and they decided that the tools in /usr/bin and /usr/sbin were
not nearly as snazzy as the tools from GNU fileutils and binutils etc
etc. So they compiled up all this GNU goo and then stuffed them into
/usr/bin and /usr/sbin simply overwriting anything that was there.
Ah yes, I remember that story well. :-) If he hasn't been already,
that guy should be caught and shot. Now. And the IT Directory needs
a long meeting with a cluebat.
--
Rich Teer, SCNA, SCSA, OpenSolaris CAB member
President,
Rite Online Inc.
Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich
_______________________________________________
opensolaris-discuss mailing list
[email protected]
