Partitions and Security
During installation, Linux will prompt you to partition your hard drive. This section will examine how your partitioning approach can affect your security.
What Are Partitions, Exactly?
Partitions are areas on your hard drive that are reserved for file systems. Let's look at their relationship to your hard drive at large.
Hard drives are composed of one or more layers called platters. Older SCSI drives, in particular, often house multiple platters. Please see Figure 3.2.
){kind=link}
Figure 3.2 Hard drives can have one platter or several.
Each platter's surface vaguely resembles the surface of a vinyl record. Please see Figure 3.3.
){kind=link}
As depicted in Figure 3.3, platters are covered by groove-like structures, circles that get increasingly smaller as they get closer to the center. The spaces between these circles are tracks. Tracks are divided into smaller units called sectors, which contain even smaller units that record data bits.
Figure 3.3 Your hard drive's tracks, sectors, and data.
The total number of tracks that occupy the same region on all platters form a cylinder. Please see Figure 3.4.
){kind=link}
Figure 3.4 All tracks occupying an identical area form a cylinder.
Partitions are composed of a user-specified range of contiguous cylinders. With DOS and Windows 3.11 (and even Windows 95's early release), users needed only one partition. This occupied virtually the entire disk and contained system files, user files, and swap files. Please see Figure 3.5.
){kind=link}
Figure 3.5 The DOS partition occupies almost the entire disk.
NOTE
As hard drives larger than 2 gigabytes have become more affordable, this has changed. DOS/Windows and the first release of Windows 95 could only handle 2GB or less. Hence, to accommodate a large disk, you had to format it in 2GB partition increments, in which your first partition would be Drive C:, your second partition would be Drive D:, and so on. Later releases of Windows impose no such restriction.
In Linux, it's more common to have multiple partitions, primarily to maintain strict control over where data ends up. Normally, when you use only a single partition (as you would with DOS), your operating system writes data arbitrarily wherever it finds suitable space, and so do users. Eventually, your data becomes spread out, unmanageable, and disorganized.
In contrast, things are a bit more orderly when you create multiple partitions. For example, you can separate swap files from your live file system. Each partition exclusively owns a specific disk area. Figure 3.6 depicts a fairly common partitioning scenario.
){kind=link}
Another common scenario is when you install two or more operating systems on the same disk drive but on different partitions, and they can coexist problem-free.
Linux supports a wide range of partition types. Table 3.1 lists a few of the more interesting ones.
Figure 3.6 Here, the disk has two swap partitions and one native file Linux partition.
Table 3.1 Various Partition Types Supported by Linux
|
Number |
Partition Type |
|
2 |
XENIX root, an antiquated, Unix-based operating system for PCs that is rarely used today. It has a long history. Originally based on Unix version 7, later incorporating features from BSD 4.1, and finally conforming to SYS V, XENIX has been marketed by many companies, including Microsoft and the Santa Cruz Operation (SCO). |
|
7 |
The High Performance File System or HPFS, a fault-tolerant system that incorporates advanced caching, long filenames, and support for traditionally incompatible file structures. It is the basis for the OS/2 system. Learn more about HPFS at http://www.cs.wisc.edu/~bolo/shipyard/hpfs.html. |
|
8 |
AIX (IBM Unix). |
|
40 |
Venix 80286, a System V-compatible version of Unix from VentureCom. |
|
63 |
GNU HURD, which hails from the Free Software Foundation and will eventually be a replacement for the Unix kernel. To learn more about HURD, go to http://www.gnu.org/software/hurd/hurd.html. |
|
64 |
Novell NetWare. |
|
81 |
Minix. |
|
82 |
Linux swap partition. |
|
83 |
Linux native partition. |
|
93 |
Amoeba, a distributed operating system that runs on SPARCstations (Sun4c and Sun4m), as well as the 386/486, 68030, Sun 3/50, and Sun 3/60. Amoeba is used to pool the power of multiple workstations into one powerful block of computing power. Learn more about Amoeba at http://www.cs.vu.nl/pub/amoeba/. |
Linux supports more partitions than those listed here. For a complete list, go to http://mm.iit.uni-miskolc.hu/Data/texts/Linux/SAG/node35.html. Also, for a complete list of all PC partition types (including those Linux does not support) go to http://www.win.tue.nl/math/dw/personalpages/aeb/linux/partitions/partition_types-1.html.
Many folks install both DOS/Windows and Linux on the same hard drive, on separate partitions. This offers them latitude and flexibility. They can learn Linux while still relying on Windows, and enjoy at least one-way compatibility. Please see Figure 3.7.
){kind=link}
Figure 3.7 Linux and DOS/Windows can coexist, but only Linux offers compatibility.
Although DOS and Windows cannot access the Linux partition, Linux can access the DOS partition, thereby allowing you to copy files back and forth across file systems.
NOTE
During installation, Linux asks you to specify additional or foreign file systems that you'd like to access. Linux mounts those file systems in the directory of your choice. A typical configuration would be to mount the DOS file system from Linux in /dos.
Linux newcomers often use the configurations depicted in Figures 3.6 and 3.7 because they're easy to implement. Many new Linux users are satisfied if they can just complete the installation with no problems, so they're apt to avoid more complicated partitioning schemes. Moreover, few installation routines highlight the relationship between partitioning and security, and give no hint that such configurations are risky.
In fact, the scenarios depicted in Figures 3.6 and 3.7 expose your system to attack and hinder your ability to exercise effective system administration.
If you'd like to automatically manage your partitions, I suggest that you use a distribution such as Red Hat 7.x. During installation, Red Hat gives you the option of automatically partitioning your drives. The result is shown here:
[root@bcdinc jray]# fdisk /dev/hda Command (m for help): p Disk /dev/hda: 255 heads, 63 sectors, 784 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 3 24066 83 Linux /dev/hda2 4 784 6273382+ 5 Extended /dev/hda5 4 338 2690856 83 Linux /dev/hda6 339 673 2690856 83 Linux /dev/hda7 674 706 265041 83 Linux /dev/hda8 707 739 265041 83 Linux /dev/hda9 740 772 265041 82 Linux swap Command (m for help):
This is a rather complex partitioning scheme that sets up separate boot, user, and swap partitions. These partitions are then automatically mounted as well:
[root@bcdinc jray]# mount /dev/hda8 on / type ext2 (rw) none on /proc type proc (rw) usbdevfs on /proc/bus/usb type usbdevfs (rw) /dev/hda1 on /boot type ext2 (rw) /dev/hda6 on /home type ext2 (rw) /dev/hda5 on /usr type ext2 (rw) /dev/hda7 on /var type ext2 (rw) none on /dev/pts type devpts (rw,gid=5,mode=620)
Again, if you're a first-time user, Red Hat's automatic partition system makes installation as easy as Windows or Mac OS. If you've decided to use another distribution or partition the drive manually, there are several rules you should follow.
Lumping Linux into a Single Partition
First, you should never put root and user file systems on the same Linux partition. If you do so, you increase the chance that attackers can exploit SUID programs to access restricted areas.
NOTE
SUID files are special in that they always execute with owner privileges, no matter who runs them. For example, if root owns a SUID program, that program will execute with root privileges and have considerable power to access, alter, and overwrite files that might otherwise be unreachable. If an attacker can exploit weaknesses in SUID programs, he can threaten the system at large. (Learn more about SUID programs in Chapter 4, "Basic Linux System Administration.")
Additionally, lumping Linux into a single native partition makes your life as a system administrator difficult. For example, it might hinder your ability to incisively update or back up individual packages or file systems. And when the full Linux system occupies one partition, even limited file corruption can cause systemic problems (meaning that one corrupted directory hierarchy can affect others). Disk optimization (which is something you rarely even have to consider under Linux) is another problem under a single partition system. As new software is installed, old software is removed, kernels are updated, and so on, fragmentation will increase. Although there are tools to optimize Linux disks, they are unreliable and a pain to use. Most frequently the only real maintenance that can be performed on a single-partition system is to reinstall the operating system.
To avoid these problems, create a separate partition for each major file system. Figure 3.8 depicts one possible configuration.
){kind=link}
Figure 3.8 All major file systems are on separate partitions.
This enhances security and makes backups and recovery manageable. You can specify different backup schedules for different partitions, system files are separated from data files, and so on. This approach also allows you to exercise more stringent control over each file system and how it is mounted.
NOTE
The term mount refers to how Linux makes different file systems available to you. When Linux mounts a local or foreign file system, it attaches the system to a local device and/or directory. This gives you an access point. For example, to grant you access to your CD-ROM, Linux associates the CD-ROM drive with the device /dev/cdrom (usually), and you must specify a directory as the mount point (typically, /mnt/cdrom or /cdrom). From that point on, your CD-ROM's top-level directory is accessible in /cdrom and its subdirectories are available beneath it (/cdrom/docs, /cdrom/install, /cdrom/source, and so on).
At system startup, Linux mounts all available file systems per the specifications set forth in /etc/fstab. You can use /etc/fstab to incisively control how users and the system access your partitions. Let's quickly cover /etc/fstab now.
/etc/fstab
/etc/fstab is the plain text file in which you specify file system mount options. Each line addresses one file system. For example, the following entry specifies mount options for an MS-DOS file system mountable in /dos:
/dev/hda4 /dos msdos defaults 1 1
The line consists of six fields:
The file system specification—Here you specify either the block device or file system to be mounted—in this case, partition 4 on the first drive. This is what Linux will mount.
The file system file location—This is the mount point—in this case, it's /dos, a common naming for a DOS file system mount point, as discussed earlier.
The file system type—In this field, you describe the file system's type: Minix, extended, DOS, HPFS, iso9660/CDROM, Network File System (NFS), or swap.
The file system mount options—Here you specify the level of access that users and the system will have on this mounted file system. Here's where security comes in. Your choices are as follows:
| defaults | Everything (quota, read-write, and suid). |
| noquota | No quotas, generally. |
| nosuid | No SUID access. |
| quota | Quotas are active. |
| ro | Read-only. |
| rw | Read-write. |
| suid | SUID access is okay. |
File system dump parameters—This is a numerical value to flag file systems that need to be dumped (backed up).
File system check sequence number—Here you specify the file system's priority for integrity checks performed by fsck. (fsck is a file system integrity checker that examines file systems at boot by default.)
Where should you force a nosuid mount? Anywhere that local or remote users might be up to no good. For example, suppose that you anticipate providing anonymous FTP services (not a great idea). If so, consider creating a separate partition for this and have Linux mount it nosuid. This still allows data to be written but addresses the SUID problem.
Other Advantages of Multiple Partitions
So, multiple partitions offer you at least four advantages:
Easy backup and upgrade management
Faster booting (in some cases)
The ability to control how each file system is mounted
Protection against renegade SUID programs
There are other advantages. One is that the multipartition approach prevents accidental denial of service and shields your root file system from overflow. For example, /var stores logging information. If you have just a single partition containing root, /usr, /var, and /tmp, logs in /var can potentially flood your entire file system (and users can too).
Sizing Out Partitions
As noted, new users sometimes shy away from multiple partitions (beyond swap and root). That's because creating multiple partitions forces you to make some hard choices. For example, just how large should each partition be? Unfortunately, there's no definite answer to this question except when you're dealing with swap and root partitions. Swap partitions are typically twice the size of real memory available (recent decreases in RAM pricing make this unnecessary), and root should have 64MB minimum (although I allocate 100MB).
In respect to other file systems, you'll make your choices depending on different factors. One factor is what you intend to do with your Linux box. On a multiuser system, you'll want to give your users at least 20MB each (and probably more). Hence, for 10 users, you'll need a /home partition of at least 210MB.
Some of these values are interdependent. For example, if you're accommodating many users and providing mail and news services, your /var and /home partitions will need to be substantial. Unless, of course, users use third-party mail and news solutions. In that case, their messages will be stored in their /home/user directory; for example, /home/user/.netscape/.
If you run a firewall, you'll need a large log directory hierarchy (/var), and this should have its own partition. In fact, you might be forced to put this partition on a separate disk drive. That way you'll avoid losing valuable audit information if the primary file system is corrupted.
However, in most cases your largest partitions will house the /usr and /home directories.
NOTE
Some Linux distributions are moving towards storing more dynamic data in the /var directory than they did previously. Red Hat 7.x, for example, assumes the Apache root to be /var/www. Take this into consideration when partitioning.
Let's look at a conservative example. Here's a df report from a 1.6GB IDE hard drive with a 128MB swap partition that isn't visible from the df query:
Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda2 66365 17160 45778 27% / /dev/hda5 373695 1549 352845 0% /home /dev/hda6 703417 344725 322356 52% /usr /dev/hda7 127816 21235 99981 18% /var /dev/hda8 123919 22 117498 0% /tmp
Here's the fstab information immediately after installation:
/dev/hda2 / ext2 defaults 0 1 /proc /proc proc defaults 0 0 /dev/hda1 none swap defaults 0 0 /dev/hda5 /home ext2 defaults 0 2 /dev/hda6 /usr ext2 defaults 0 2 /dev/hda7 /var ext2 defaults 0 2 /dev/hda8 /tmp ext2 defaults 0 2 # /dev/fd0 /mnt/floppy ext2 defaults,noauto 0 0 # /dev/hdb /mnt/cdrom iso9660 ro,noauto 0 0
Note partitions 5, 6, 7, and 8. These are logical partitions. You're allowed only four primary partitions in the Intel world, or three primary partitions, one extended partition, and multiple logical partitions. To create additional partitions, first establish an extended partition and then slice this into logical partitions using either fdisk or, if you have Red Hat, Disk Druid.
CAUTION
Some distributions offer user-friendly installation routines that automatically suggest disk layout (much like Sun's Solaris does). These routines are convenient, but think carefully before accepting such a partitioning scheme. Automatic partitioning does not take into account the way that the system will be used. Instead, it creates a generalized partition table that doesn't necessarily work well with Web or file servers. For beginners, however, automatic disk layout is a great way to create a solid file system foundation with very little effort.
Although you've probably used fdisk already, some folks who purchased this book might not have installed Linux yet. For their benefit, I'll briefly address fdisk here. If your Linux distribution doesn't use fdisk, keep reading. Cfdisk and Disk Druid are both discussed later in the chapter.
fdisk
fdisk is a partition manipulator for Linux. During your installation, Linux will move you from a semi-graphical environment to a command-line interface so that you can partition your disks. At that point, you'll almost certainly be dealing with fdisk.
fdisk's initial prompt will look much like this:
Using /dev/hda as default device! The number of cylinders for this disk is set to 1579. This is larger than 1024, and may cause problems with: 1) software that runs at boot time (e.g., LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help):
Before continuing, if you're using fdisk for the first or even the fifth time, review the list of valid commands. That way, you can familiarize yourself with each one and reduce the chance of error. To view the complete command set, type m and press Enter. In response, fdisk will print a help menu:
Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only)
Also, examine the current partition table before you make any changes. That way, you can verify whether any partitions already exist. To do so, type p and press Enter. If you're working with an unpartitioned disk, fdisk will print a blank table:
Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System Command (m for help):
Now you're ready to begin creating your partitions.
From here on, I'll stick with the values from the preceding partitioning example. You'll need to adjust partition sizes according to your own needs. This is merely a walkthrough that demonstrates how to create an extended partition and logical partitions within it. Few Linux how-to books address this issue. (Most such books focus on Red Hat installations. Red Hat includes Disk Druid, a semi-graphical tool that simplifies the process for you. However, you might be installing another distribution, one with command-line fdisk. If so, this next section will illustrate the steps required when you're creating such partitions by hand.)
Creating the Swap and Root Partitions
First, you'll need to create your swap and root partitions. In this example, I'll assume that you're installing to a new hard drive, with no other existing file systems previously installed.
To create a new partition, type n and press Enter. In response, fdisk will ask you what style of partition you want. Type p and press Enter for primary:
Command Action e extended p primary partition (1-4) p
fdisk will then ask you to number the new partition. This is your first primary partition and will house your swap file, so choose 1:
Partition Number (1-4): 1
Next, fdisk will ask you to specify where the partition starts. This is your first partition and you want to write it from the first cylinder onward, so choose 1:
First cylinder: (1-1579) 1
Finally, to complete the cycle, fdisk will ask you to size the partition. Swap file size is a matter of personal preference. In past years, Linux tutorials prescribed a ratio approach: "If you have 8MB of RAM, you'll need a 16MB swap file, minimum." With the cost of 128MB RAM falling well below $100, it is rarely necessary to rely on swap space.
As per the preceding example, choose 128MB (based on 64MB of physical RAM):
Last cylinder or +size or +sizeM or +sizek (1-1579): +128M
After you create each partition, reexamine the fdisk partition table. This way, if you make typographical errors, you can catch them before writing changes to disk. Here's what the updated table will look like after you create the first partition:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 83 Linux native
Note that the partition is type 83 (Linux native). You need to change this. This partition is a swap partition, and you must manually designate it as such. To do so, type t and press Enter:
Command (m for help): t
In response, fdisk will prompt you for the partition number. Choose 1:
Partition number (1-4):1
Finally, fdisk will ask which partition type you want. Choose 82 to convert the partition to a Linux swap:
Hex Code (L to list): 82
When you reexamine the partition table, fdisk will reflect the changes:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 82 Linux swap
Next, create the root partition. Here again, size is a matter of personal preference. You should allocate at least 32MB to root, although I've seen people make this partition as large as 100MB. In any case, the procedure is precisely the same. You start by creating a new partition. Type n and press Enter. Then fdisk will ask what style of partition you'd like. Again, type p and press Enter for primary:
Command Action e extended p primary partition (1-4) p
Then fdisk will ask you to number the new partition. This will be your second primary partition, so choose 2:
Partition Number (1-4): 2
In response, fdisk will ask you to specify where the partition starts:
First cylinder: (131-1579)
Note that the first valid starting cylinder is now 131. That's because your swap partition occupies cylinders 1 through 130. Therefore, you'll start your root partition at cylinder 131:
First cylinder: (1-1560) 131
And finally, fdisk will ask you to size the partition. For this example, allocate 64MB:
Last cylinder or +size or +sizeM or +sizek (131-1579):+64M
The results show a Linux (type 82) swap partition and a root (type 83) partition:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 82 Linux swap /dev/hda2 131 198 68544 83 Linux native
Creating the Extended Partition
The next step is to create an extended partition that will occupy the remaining disk space. To create an extended partition, type n and press Enter (new), and then choose e for extended:
Command Action e extended p primary partition (1-4) e
Here, fdisk will ask you to specify the extended partition's first cylinder. In this case, the first available cylinder is 199, so choose that:
First cylinder: (199-1579):199
Finally, fdisk will ask you to specify the extended partition's last cylinder. In general, you should go with the very last cylinder. That way, the extended partition occupies the remaining disk space. However, you choose to leave some space at the end of the disk, so specify cylinder 1560:
Last cylinder or +size or +sizeM or +sizek (199-1579): 1560
Here are the results:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 82 Linux swap /dev/hda2 131 198 68544 83 Linux native /dev/hda3 199 1560 1372896 5 Extended
The table now shows one Linux swap, one Linux native, and one Linux extended partition. Your remaining task is to allocate several logical partitions.
Creating Logical Partitions Within the Extended Partition
Now that fdisk is aware of an extended partition, the fdisk menu will change. To create your first logical partition (for /home), type n and press Enter. In response, fdisk offers a new menu. Here, choose l for logical:
Command Action l logical (5 or over) p primary partition (1-4) l
Then fdisk will ask you to specify the new logical partition's first cylinder. Note that the first available cylinder is 199, which is the same first available cylinder that you specified for the extended partition. That's because your logical partitions will lie on top of the extended partition. So, choose 199:
First cylinder: (199-1579):199
Finally, fdisk will ask you to specify this logical partition's last cylinder. To give /home 370MB, choose 581:
Last cylinder or +size or +sizeM or +sizek (199-1579): 581
Here are the results so far:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 82 Linux swap /dev/hda2 131 198 68544 83 Linux native /dev/hda3 199 1560 1372896 5 Extended /dev/hda5 199 581 386032+ 83 Linux native
You add the remaining partitions, /usr, /var, and /tmp, in the same fashion. Here's the sequence for /usr:
Command Action l logical (5 or over) p primary partition (1-4) l
First cylinder: (582-1579):582 Last cylinder or +size or +sizeM or +sizek (581-1579): 1302
Here's the sequence for /var:
Command Action l logical (5 or over) p primary partition (1-4) l First cylinder: (1303-1579):1303 Last cylinder or +size or +sizeM or +sizek (1303-1579): 1433
And finally, the sequence for /tmp:
Command Action l logical (5 or over) p primary partition (1-4) l First cylinder: (1433-1579):1303 Last cylinder or +size or +sizeM or +sizek (1433-1579): 1560
When you view the final results, fdisk will reflect the following changes:
Command (m for help): p Disk /dev/hda: 32 heads, 63 sectors, 1579 cylinders Units = cylinders of 2016 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 130 131008+ 82 Linux swap /dev/hda2 131 198 68544 83 Linux native /dev/hda3 199 1560 1372896 5 Extended /dev/hda5 199 581 386032+ 83 Linux native /dev/hda6 582 1302 726736+ 83 Linux native /dev/hda7 1303 1433 132016+ 83 Linux native /dev/hda8 1434 1560 127984+ 83 Linux native
After you've achieved and verified your desired results, choose w. This will exit fdisk and permanently commit these changes to disk. Linux will then return you to the main installation program.
Other Partitioning Tools
Not every Linux installation program directs you to fdisk for partitioning. Instead, you might work with cfdisk or Disk Druid. These tools are much easier to use.
cfdisk
cfdisk is a Curses-based partition manipulator for Linux.
NOTE
Curses is a development package for creating menu-based programs on Unix terminals. Curses applications vaguely resemble old DOS programs, in that you can navigate menu choices by using arrow keys. Traditional Curses applications have a black background and white foreground. Menu choices appear in white until highlighted with a white bar, at which point the highlighted text turns black. Learn more about Curses programming at http://dickey.his.com/ncurses/ncurses-intro.html.
cfdisk presents a comfortable and easy-to-navigate interface. Please see Figure 3.9.
){kind=link}
Figure 3.9 Partitions viewed in cfdisk's Curses environment.
For the most part, you'll have no trouble navigating cfdisk using arrow keys—the program provides ample help along the way. However, I've provided a summary of important cfdisk keystrokes and their functions in Table 3.2. This is in the event that on your first installation, you're forced to use cfdisk but have little or no accompanying documentation—a common problem.
Table 3.2 Keystroke Commands in cfdisk
|
Key |
Function |
|
? |
Get help. |
|
b |
Set (or unset) the highlighted partition as bootable. |
|
d |
Delete the highlighted partition. |
|
g |
-Enter an expert mode where you can alter the disk's listed geometry. Warning: Use this function with caution. This is much like specifying your own disk drive settings (heads, cylinders, blocks) in your BIOS. Chances are that cfdisk's auto-detected values are correct. If you specify erroneous values, your Linux system may not boot. |
|
h |
Get help. |
|
n |
Create a new partition. |
|
p |
Obtain and print the current partition table information. |
|
q |
Quit cfdisk. |
|
t |
Change the file system type (much like t works in fdisk). |
|
W |
Write changes to disk. (You must issue the W command in uppercase.) |
Disk Druid
Disk Druid, common to Red Hat installation as a fdisk alternative, is even easier to use. The application is entirely graphical. Please see Figure 3.10.
){kind=link}
Figure 3.10 Disk Druid's opening screen.
To add your partitions, highlight the Add button and press Enter. In response, Disk Druid displays a dialog box with all the options you'll ever need. Please see Figure 3.11.
){kind=link}
Figure 3.11 Disk Druid's partition editing screen.
Summary of Partitions and Security
Because partitioning has a strong bearing on your system security, you should carefully weigh your options before installation. Making your final decisions will never be easy.
Balancing disk load is probably the most challenging aspect of partitioning, particularly with smaller disks. By creating multiple partitions, you limit each file system's ability to grow. In certain instances, of course, that's exactly what you want. However, it's irritating to later discover that you failed to allocate adequate disk space.
One thing that can help is to know each major file system's purpose. Here they are, in short order:
/—Houses relatively few files (mostly startup scripts).
/usr—Houses most of your software.
/home—Houses your user directories.
/opt—This is for third-party add-on software (Netscape, StarOffice, and so on).
/var—Houses garden-variety administrative logs, mail, and news.
Disk balancing also gets easier if you develop policies for a consistent application set. For example, perhaps you limit third-party software to Netscape Communicator, StarOffice, and Corel WordPerfect. This eliminates the need for a large /var partition and gives you a ballpark figure on how large /opt has to be.
Of course, there's no law mandating that you create a dozen partitions. The partition parameters in the preceding examples are for demonstration purposes only. You can get along nicely with just three partitions, especially if only a few trusted users have access to your Linux system. Only you can accurately assess how many partitions you'll need and which file systems to segregate.
Here are some closing tips:
You might prefer fewer partitions, or you might want to prioritize file systems that must or should be segregated. If so, the important file systems to house on separate partitions are root (/), /var, and /tmp from a security viewpoint, or root (/), /var, and /usr from an administrative viewpoint. At bare minimum, I strongly advise housing root on its own partition.
If you allocate partitions to non-Linux operating systems, carefully consider how you want Linux to mount them. For example, suppose that you have a small Windows partition at the beginning of the disk. If you use this partition almost exclusively when in Windows, consider having Linux mount it read-only or not at all. That way, you protect it from either accidental or intentional damage.
If you're running a firewall, sniffer, or other network-monitoring device, funnel logs to their own partition (preferably on another disk).
Exercise care when setting partition mount options. Sometimes, restrictive policies can lead to administrative headaches. For example, suppose that you decide to lump contributed binaries into /usr/local and have Linux mount /usr/local read-only. Later, this might hamper your ability to perform upgrades without first redefining the mount option.
Finally, here are some resources for more information on partitioning:
Debian Linux Installation & Getting Started by Boris D. Beletsky (borik@isracom.co.il). The author takes you through each step of installation, with special focus on disk partitioning. Find it at http://www.debian.org/releases/stable/#new-inst.
Installing Red Hat Linux. The Red Hat installation manual details the partition utilities available under Red Hat, including fdisk and Disk Druid. http://www.redhat.com/support/docs/installing_linux.html.
Linux Installation and Getting Started by Matt Welsh. Although slanted heavily toward SlackWare, this document is superb, stepping through every aspect of installation and partitioning in excruciating detail. Find it at http://durak.org/sean/pubs/ligs-slackware/node1.html.
The Linux Disk HOWTO by Stein Gjoen (sgjoen@nyx.net). The author discusses drive geometry and structure, disk layout, partitioning, and so forth, in great detail. Find it at http://www.ict.pwr.wroc.pl/doc/Linux-HOWTO/Disk-HOWTO.html.
The Linux Partition HOWTO by Kristan Koehntopp & Toni Harris (kris@koehntopp.de). The author discusses important issues about disk balancing, partition sizes, and so on. Find it at http://ldp.linuxisgod.com/HOWTO/mini/Partition/.