Why is it that some companies offering dedicated servers never set up the servers with /tmp partitions?

Or.. for that matter, anything reasonable for /usr or /var ?

What are YOUR standards for partitioning?

Originally posted by clockwork
Why is it that some companies offering dedicated servers never set up the servers with /tmp partitions?


Because they don't understand fully what they are doing. There are no ifs, ands or buts about it. They obviously fail to understand the basics of security and reasons for having different partitions.


Or.. for that matter, anything reasonable for /usr or /var ?


Refer to above, but in a worse way. People like Raskshack even have, /tmp, /var and /home on the same partition as everything else. Everything sits on the / root partition. Talk about reckless. They don't understand how big of a deal this is. I urged them to consider this risk, not to mention that if there's any partition that suffers from corruption, you loose more than one area of your data, you loose it all. Apparently these people have never heard of sym/hard link attacks and many other things.


What are YOUR standards for partitioning?

/, /var and /tmp should at the very least have their own partitions. This is important to file system security. /home, /boot, /usr as a good idea to have on their own as well. /usr/local is yet another very good idea. Also, to have a chrooted partition for any monitoring tools, logs, etc. Yet another for any chrooted services that are better secure on their own partitions (BIND for example, if you run it).

Not only this, but from a security stand point in other aspects, you are able to mount the partitions differently, with different options. Between having separate partitions, and mounting them correctly, depending on your needs, it can really improve security, as well as data integrity. My suggestion is as follows;

/
/boot
/var
/usr
/usr/local
/tmp
/home
/chrooted partition
* And extra room for another for services and logging, monitoring, etc.

At the very least, you should have:

/
/boot
/var
/usr
/tmp
/home

I'm not alone! :D

sorry but i have to comment :0

it is NOT A SECURITY RISK!.
IT Actually can make things easier if you have 7GIG of files u want to fit on a 9GIG SCSI Drive.
If your worried about security then oviously you have other users on your box in that case you should create the appropriate Chroot/Jail inviroment and lock them in, (which CPanel usually does for you?)

ryza

also the only partions required for a linux install are as follows.

/boot (50Mb for boot files.)
/SWAP (double size of memory)
/ (rest of harddrive space)

ryza

it is NOT A SECURITY RISK!.


Yes, it very much is. There are many reasons for this. You should look into this, if you wish to make such claims.


IT Actually can make things easier


No, it never makes things easier. If you want to store giant files, you should get a larger drive.


if you have 7GIG of files u want to fit on a 9GIG SCSI Drive.


Then the drive isn't large enough, is it? Security shouldn't suffer because you want to use a file system with multiple users as a place to store files that will take up most or all of the drive.

Also, if you want to store 7 gig's of files on a 9 gig drive, between the OS install and those files, you have no room left for any user accounts anyway.

Also, you risk data corruption on a larger scale.

It is more insecure, I will explain below.

It will also degrade drive performance on reads.


If your worried about security then oviously you have other users on your box


Perhaps, but not really. If a service can be exploited due to a vulnerability, it can greatly reduce your chances of a compromise on any other area of the system. This can be due to the vulnerability opening up ways for a remote attacker to attempt exploits that will need to have the files on the same partition. This can greatly reduce the risk. However, it does help a great deal with user accounts on the system. And there is no way to replace that aspect of security with any other measures.


in that case you should create the appropriate Chroot/Jail inviroment and lock them in,


That will not replace the method of having separate partitions for added security. That will have an entirely other effect. That will not prevent the exploits I have mentioned and will mention, which individual partitions will. Also, chroot jails are not difficult to break out of. That is a cosmetic solution and hardly worth the effort. Security methods should be implemented that make it so you do not have to worry if someone's in a chroot environment or not anyway.


(which CPanel usually does for you?)

ryza

No, Cpanel does not do this for you. Again, it's irrelevant anyway, as it will not prevent the issues above that I mentioned. Just a quick search will show you many documents about this. Here is but one of many:

http://www.olemiss.edu/helpdesk/itnews/200003/linux.html


"Linux Security Issues Part 2: Disk Partioning

Raymond Prach

Linux is a free, UNIX-like, open-source, Intel-optimized, 32 or 64-bit operating system that runs on inter and RISC processors. To take advantage of the full benefit of the power of Linux you need cultivate a higher level of technical expertise than needed to use a consumer-oriented operating system. However, the effort is worthwhile.

This article examines security issues that are addressed during installation of Linux.

Because partioning has a significant impact on system security, you need to weigh your options carefully. Distributions, such as Red Hat, provide installation routines that automatically configure disk layout. Although convenient, these partitioning schemes usually are not optimum for a specific installation. Before starting any installation program, it will be necessary to partition your disk space. This is usually done using fdisk, a command line utility; however, many distributions include other disk portioning utilities which some find easier to use than fdisk.

First, you should never put root and user file systems on the same Linux partition. Doing so increases the avenues, such as SUID programs, that malicious hackers can exploit to compromise your system. SUID files always execute with owner privileges. Thus, if root owns an SUID program, that program will execute with root privileges and have considerable power to access, alter, and overwrite files that should otherwise be unreachable. In addition, it is prudent to segregate data files from the operating system and program files.

Bottom line: lumping Linux into a single native partition makes your life as a system administrator difficult. For example, it will hinder your ability to incisively update, backup, or reinstall individual packages or file systems. When the full Linux system occupies one partition, even limited file corruption can cause systemic problems. Thus one corrupted directory hierarchy can affect others and you may even have to format and reinstall.

To avoid these problems, create a separate partition for each major file system, these being:

/ - contains few files, mostly scripts.

/usr - contains most of the system files and software.

/home - contains user directories and files.

/opt - contains third-party add-on software (Netscape, StarOffice).

/var - contains administrative logs, mail, and news.

In addition, you will need a swap partition and the data file system.

You may prefer fewer partitions, or have other file systems that must be segregated. In any case, it is important to segregate root(/), /var, and /tmp from a security perspective, or root(/), /var, /usr, and /data from an administrative viewpoint. At a bare minimum, segregate root from the other file systems.

If you allocate partitions to other operating systems, consider mounting them as read only if at all under Linux. That way, those partitions are protected from accidental or intentional damage under Linux.

If you use a firewall, sniffer, or other network-monitoring device, mount the logs on their own partition, preferably on another physical disk.

Finally, from the net, here are some resources on partitioning under Linux:

Debian Linux Installation & Getting Started by Boris D.Beletsky. The author takes you through each step of installation, with special emphasis on disk portioning. The article is found at http://www.linuxgazette.com/issue15/debian.html

Linux Installation and Getting Started by Matt Welsh. Specific to SlackWare, the document steps through every aspect of installation and partitioning in minute detail.
Find it at http://durak.org/sean/pubs/ligs-slackware/

The Linux Disk HOWTO by Stein Gjoen. For the techno-nerd. The author discusses drive geometry and structure, disk layout, partitioning, and on and on. See it at
ftp://ftp.ixlmemphis.com/pub/linux/LDP/HOWTO/

The Linux Partition HOWTO by Kristan Koehntopp. The author discusses disk balancing, partition sizes, and other disk portioning issue. Available at
ftp://ftp.ixlmemphis.com/pub/linux/LDP/HOWTO/mini/Partition.

White Paper for Partition Magic 3.0: Optimizing Hard Drives with Partitions. The authors discuss security and disk management issues when portioning a disk. Surf to
http://www.powerquest.com/support/white1.html"

Hope this helps.

Originally posted by ryza
also the only partions required for a linux install are as follows.

/boot (50Mb for boot files.)
/SWAP (double size of memory)
/ (rest of harddrive space)

ryza

<<MOD NOTE: Portions of the post below have been edited>>

[You] are coming in claiming things to counter what I stated, and [people should not spread] false and dangerous information. Perhaps you're a fan of Rackshack or are just too used to them, based on my comment above, as that's the exact install, which is a really amateur, bad and insecure install, that Rackshack does. Of course, other's do as well.

[What] you are claiming is very incorrect. I have offered reasons and now documentation to back this up, what I said. There's a lot more information out there. This is very basic stuff we're talking about. Please be sure you post the facts about this, and _not_ your opinion.

Couldn't have said it better myself, well done.

Originally posted by 2host.com
You don't know what you're talking about.How are you so sure that you do?

I've read over your comments and you repeatedly insinuate that using separate partitions is automatically more "secure" but provide no concrete evidence to back it up.

Please enlighten us, or retract your claims.

Originally posted by Turbo
How are you so sure that you do?

I've read over your comments and you repeatedly insinuate that using separate partitions is automatically more "secure" but provide no concrete evidence to back it up.

Please enlighten us, or retract your claims.

<<MOD NOTE: Portions of the post below have been edited>>

I stated reasons above. If you don't understand how hard links work, or how sym link attacks work, or how you can't do stack attacks on binaries across the file system on another partition, or how you can mount partitions with different options, such as nosuid, and nodev, and noexec, etc., mounting it read only, etc., then you should [read up on this].

After all, those reasons above, are known reasons, and they are facts. They also outline the problems with not doing it. What don't you understand? IF you don't understand the details or know how these are problems and partitioning is the solution, <removed>?

If the above isn't proof, it's simply because you need to educate yourself on this topic. I think that the book "Maximum Linux Security" speaks of this very topic on a few pages in the first few chapters. Go read it.

It's not a very indepth book and only coverss basic stuff, but if you need to start learning from somewhere, you'll be able to read about this and understand what I'm talking about. If you're still confused about how suid exploits can be avoided, among other things, then you can maybe try that search engine thing.

I stated reasons above. If you don't understand how hard links work,Hard linking of other users' files can be stopped in a variety of ways, e.g. with grsecurity.
or how sym link attacks work,,Symlinks have nothing to do with partitions.
or how you can't do stack attacks on binaries across the file system on another partition,What? Please elaborate.
or how you can mount partitions with different options, such as nosuid, and nodev, and noexec, etc., mounting it read only, etc.,True, there are some optional features that can be taken advantage of when multiple partitions are used. But none of the options you mention have any real world impact on security, except when used with untrusted remote file systems.

<<MOD NOTE: OT remarks removed>>


Hard linking of other users' files can be stopped in a variety of ways, e.g. with grsecurity.


This is a tool to prevent some things from happening, this does not cover all the same aspects.


Symlinks have nothing to do with partitions.


You've aren't familiar with sym link attacks.


What? Please elaborate.


Go read up on buffer overflows on suid programs and how they can be avoided if they reside on another physical partition. That information is quoted above from that site even.


But none of the options you mention have any real world impact on security, except when used with untrusted remote file systems.

You are confused. It's that simple.

You fail again to understand the basics. Anyone that's interested in either this topic, or to see who speaks the facts (*I posted but one of very many articles about this as proof*), they can see for themselves.

Originally posted by 2host.com
Anyway, the fact that you come in with the same responses, having absolutely no idea what you're talking about, and having the nerve to post these personal attacks in response.Excuse me? I haven't posted any personal attacks, nor have I even come close. You are the one deviating from the topic and posting almost exclusively personal attacks against those who beg to differ with you. Just take a look at your last reply to me. Throughout 80%+ of it you were trying to claim how ignorant I was, instead of staying on topic and explaining your reasons for believing the way you do.
I'm sure the mods can verify this.Clearly, you're backed in a corner and want the mods to rescue you. Good luck. Any mod will find quite easily that I'm not "ryza".
You've aren't familiar with sym link attacks.Once again, you're taking the ease route and trying to claim that I don't know what I'm talking about, instead of proving that you do.



[More "I'm right, you're wrong" content-free blather snipped.]


Are you just dying to argue with anyone about anything, or what? You are confused. It's that simple.This appears to mark the end of any on-topic content, and the beginning of immature personal attacks, so I have stopped reading here. I'm not going to stoop to your level. Sorry.

Originally posted by Turbo
Excuse me? I haven't posted any personal attacks, nor have I even come close.


Okay.


You are the one deviating from the topic and posting almost exclusively personal attacks against those who beg to differ with you.


Not whatsoever. Not in the least. Anything off topic, was a result of responding to your comments.


Just take a look at your last reply to me.


I suggest you do the same. Anyway, again, where's the technical reasons why I'm wrong? I posted the URL and you claimed they were grossly exaggerated claims. And so on.


Throughout 80%+ of it you were trying to claim how ignorant I was,


Well, you are.


instead of staying on topic and explaining your reasons for believing the way you do.


I posted the URL. You refuse to accept that. You refuse to use a search engine. You had nothing to argue about, but you choose to come in and argue. You claim you aren't this other poster. B.S. You signed up today, come specifically and only (until I post this, you'll likely deviate from this once I say it now) to this thread. You are not a bystander.


Clearly, you're backed in a corner and want the mods to rescue you.


Oh, that's rich. I have pointed out facts about what I said, posted URL's, you are obviously this other poster. And somehow *I* am backed into a corner? How is that? I've not fled the scene, I'm not evading the topic or any portion of your post. I have responded to every single point, irrelevant or not, on topic or not, that you and your other personality have brought up.


Good luck.


Uh huh. You're not a fast learner, are you?


Any mod will find quite easily that I'm not "ryza".


If you say so. Apparently you're just a random weirdo that likes to fight with people.


Once again, you're taking the ease route and trying to claim that I don't know what I'm talking about, instead of proving that you do.


Well, you say that, but of course I posted URL's as proof. People can search more in-depth if they choose to. I explained the different concerns and why this is a good solution. I proved that these partition schemes make for a more secure server. You've not proven otherwise. I've proven everything I said, and you're saying I'm taking the easy route out? I'm simply pointing out the flaws in your response and why you're wasting people's time. Whatever you choose to view that (or claim that) as to benefit yourself or feel better about what happened, doesn't affect me.


[More "I'm right, you're wrong" content-free blather snipped.]


If you say so. Speaking of proof; This comment is supposed to prove something? Are my feelings supposed to be hurt, because *you* are ironically the person that can't stand to be wrong?


This appears to mark the end of any on-topic content,


That ceased to be once you posted. The order of the thread and posts shows this.


and the beginning of immature personal attacks,


I agree, you should just give up. Your plan to post as another user to try and save your embarrassment didn't work out well.


so I have stopped reading here.


Good for you, no go away and troll somewhere else.


I'm not going to stoop to your level.


Stoop up? :-) Interesting that you were 'okay' with not stooping to come in and start blabbing on about things you don't know and making inaccurate claims, because your feelings were hurt. Obviously this field is too much for you to deal with. (Don't confuse humor with attacks, you've just asking for it. Who would I be not to oblige?).


Sorry.

Don't be sorry. No one's perfect. And it's not too late to learn about this. I can suggest some good books and web sites if you are that concerned. We're still friends, right?

2HOST.COM: So, what would be your recomendation to a "newbie in dedicated hosting" who is about to order dedicated server with RackShack? I see you have pointed out quite a few issues, unfortunately i dont really understand ALL of them. Youve got me kinda confused revealing all these security problems and im afraid that i might not be aware of all of them, or even worse: be able to fix them all.. Are you trying to say that rackshack is not good solution? :(
Thanks.

Originally posted by clockwork
Couldn't have said it better myself, well done.
Like reading a book. :D

Originally posted by 2host.com
Anyway, again, where's the technical reasons why I'm wrong?Look back, I never said you were "wrong." In fact, I acknowledge that separate partitions may be advantageous in some scenarios. (Most servers I build have multiple partitions, primarily for reliability and fragmentation concerns.) I do not however agree that there is anything close to a night and day difference in security between using a separate partitions for everything versus one or two, as you seem to be implying. How many popular exploits could have been prevented by using separate partitions? (Hint: Virtually none) When someone's server is compromised, how often is it concluded, "It was because they didn't have enough distinct partitions." (Hint: Never)
I posted the URL. You refuse to accept that.What makes you think I didn't read it? I did check the URLs you posted, and the information therein is nothing new to me.
You claim you aren't this other poster. B.S. You signed up today, come specifically and only (until I post this, you'll likely deviate from this once I say it now) to this thread. You are not a bystander.That claim could have been made about ANY new poster. Everyone starts somewhere, believe it or not.
Apparently you're just a random weirdo that likes to fight with people.On the contrary, I joined the discussion in the hopes of acquiring and sharing knowledge about system security. Unfortunately, most all of what you have been dishing out thus far are comments to the effect of, "I know more about Unix security than you, period, so go away." You have absolutely no idea about my experience in securing Unix systems, so don't assume.
I proved that these partition schemes make for a more secure server.I agree that it can, in certain (rare) cases, make for a more secure server. But how much more? 0.001%? Does a minuscule increase in security always justify a large decrease in convenience, flexibility, and speed[1]? I'd answer "no."

Security-wise, there are FAR more important things to worry about than partitioning. You're infinitely more likely to be hit by the OpenSSH, Apache, Sendmail, etc. exploit of the day than by some exploit relating to a certain partitioning scheme.


[1] referring to moving files between directories

Originally posted by rackyou
2HOST.COM: So, what would be your recomendation to a "newbie in dedicated hosting" who is about to order dedicated server with RackShack? I see you have pointed out quite a few issues, unfortunately i dont really understand ALL of them. Youve got me kinda confused revealing all these security problems and im afraid that i might not be aware of all of them, or even worse: be able to fix them all.. Are you trying to say that rackshack is not good solution? :(
Thanks.

I don't want to come off the wrong way and start a flame war. The original post was about why dedicated server providers will not do good partition schemes. I mentioned a few reasons why and mentioned Rackshack as an example. I stated this because I was with them for about 4 or 5 months (many months ago) and this was a big issue for some of us on the RS forums. Anyway, they never changed that, basically saying they won't change their install images and you get what you get. Myself and many other stated reasons why this is important to some of us, but since most RS clients don't know a lot and just want cheap servers with a lot of bandwidth, it was not a priority, as many things at RS are not due to this.

RS has good prices and you get a lot of bandwidth. Their network is decent for what it it. But for any issues with your server set up, they won't do anything at all for you. Once they install everything on the / root partition, you can't change it (unless you get a second drive, which I did and created the partitions on that second drive. This causes a hassle and interferes with local system backup stuff too).

I won't not suggest RS to anyone that is serious about system security. I would not recommend them for any business sites that need uptime, especially web hosts. This is all obvious. But I'd not recommend them at all if you are new to this field. Having nothing to do with the other issues, since they don't offer support. I have posted a few times explaining other reasons, explaining it's not due to my need for them to do things for me (I know how to do it all), but one file goes corrupt due to a disk issue, out of your control, and that's it. If you can't log in, you will be told you need a full reinstall. This wipes your backup drive too. This is a disaster in the making, unless you're lucky and those systems aren't the best quality hardware, so you're living on luck.

I would not recommend them based on many things, and this is one of them. They don't appear to know what they are doing. If they do (I'm not saying they don't, to be fair), then it's just that they don't care, because there's no real demand in their market for any well set up system. I'm talking in regards to basic things such as this. Nothing that would take anymore effort than to change the install image. But they make a lot of money and don't want to change something that could add another 1 minute to each set up, if they need to partition it, so while I understand, it's not a very good solution and I would suggest someone else.

I personally went with webreseller.net. I have been extremely happy, their connection is faster too. They did the install I wanted, with the OS I wanted, with the partition scheme I wanted. It's not a big job and it's nothing wonderful, just a simple thing, but they were willing, as most dedicated providers are and should be. They will also log into your server and at least type in what you tell them if something goes terribly wrong with files or libraries needed to log in, in case of hardware issues (a better solution than "We can only reinstall for X amount of dollars). Currently, the only issue with WR is that they don't have redundancy, which is supposed to be coming soon. I find that problems with either WR or RS anyway, result in the same type of downtime and this means that even lacking redundant connections, it seems to have the same result with any problems anyway, so RS doesn't seem to have that advantage (they do in some ways, though).

Anyway, I would not suggest you use them for a variety of reasons. Yes, they don't seem to know, or at least don't seem to care, about this one topic in this thread. There are issues involved. This is a sloppy set up and it's insecure and you risk loosing a lot of data that might have resulted in little data lost, if you have the partition table corrupted or some part of the drive fail, that might have otherwise been minimal. Imagine the area of the drive with the /tmp partition itself (its own partition) failing. You loose nothing. If it's mounted to / and you have a problem, you risk loosing all the data on the drive. There are many reasons, and although this is only one issue of many, some of which RS might not be so careless about, I do believe this is one good reason, out of many, to not use them. I speak from experience.

I don't suggest this for you. At the same time, it's not going to be the end of the world if you do go with them (probably not). Another issue is, barring any remote exploits that could compromise your system due to the ability to exploit something they'd not have been able to otherwise (as mentioned previously), if you have no other users you can't trust and no one malicious gains access to their user account, then it does reduce the risk in some aspects. I hope this helps and seems like a fair argument.

Certainly consider them for your own reasons, I just was using them as a prime example due to the topic of the thread. And, as always, research this yourself. Learning never hurts and you'll be able to make educated decisions to help you create and be using a more stable, secure server environment (and that can save you more hassle than I can put into words). Good luck.

Originally posted by Turbo

blah, blah, blah.


Give it up already. No one's going to sign up a new user the same day, and be so involved and emotional about it, only to participate in this thread, etc., and try and convince anyone of any of your nonsense. Enough already.

Trying to play it off now that you never disagreed, you're not the other poster, and that "Okay, it might make some difference, but it's only 1 1/100th of a billion billionths of a difference" and act like I didn't have a valid and true point, or that this isn't an important step in securing a server and ensuring better data integrity, is just pathetic.

And spare us all from trying to act like I ever said this is the most important security issue people can face. I said it's important, and offered many reasons why. Not just for security. The original question didn't mention security, I did. I also mentioned other issues besides that topic. You can play games all you like, you were out of line. You were spanked for it, end of story.

I didn't do anymore than just glance at and breeze over your post. I saw what you said, but I'm not going to waste time responding to each point and try and spell it out for you. Obviously you've got a problem. I'm very impressed with your attitude, and your attitude says it all.

I needn't be familiar with your 'experience' in securing servers, simply because your argument and initial hostility about valid and true points, plainly says that you don't know and you're experience is bogus or flawed. If you want to come in yelling for me to prove things that are right in your face to see, post anonymously as another user to try and agree with yourself, and so on, then don't expect me to tell it any other way than how it is. And, that is how it is. Deal with it.

Save yourself the trouble, you're really not going to convince anyone. Move on or read a book or something. I don't even know why you're still bothering to post here. However, I can tell you that I'm done responding to you. Self pride only gets you so far if you're not willing to be educated on topics you want to argue about. Grow up. In fact, I don't think I even want to be your friend anymore!

Originally posted by 2host.com
Trying to play it off now that you never disagreed
I didn't disagree with the facts you presented. I disagreed with the unwarranted attitude of "my way is the only way." I don't believe multiple partitions are an absolutely necessity for a secure system as you seem to. You're certainly entitled to your own opinion, but it's not very helpful to those reading the thread to present it as if it's the only valid viewpoint.
you're not the other posterFor the nth time, I'm not. I have no idea who the other poster is, and in fact, I don't agree with all his/her statements.
and that "Okay, it might make some difference, but it's only 1 1/100th of a billion billionths of a difference" and act like I didn't have a valid and true pointYou brought some valid and true points to the table, but in my view they had little to no "real world" significance.
ensuring better data integrityRead what I said in my last post. I said I used multiple partitions for, quote, "reliability concerns". (However, with modern journaling filesystems, this is becoming almost a non-issue...)
Obviously you've got a problem.Where is this attitude coming from? So we have a difference of viewpoint. How does that warrant the unrelenting personal attacks from you? Let's just agree to disagree, shall we.

Fighting over a tmp dir, phh

Look if you are on Rackshack, this is what I recommend, since the tmp dir tends to be on the / partition, which is small, and not always good if you have a huge site, and run backup scripts and to prevent / from filling up and making your server crash. So it is best you move it to your /home dir, since it is larger to substain that much info, and worry less about your HD filling up.

So I recommend this, especially if you are on Ensim.

cd /
mv tmp xtmp
mkdir /home/tmp
ln -s /home/tmp /tmp
chmod 1777 /home/tmp

And that should do it...it may apply to other stuff.

Ciao.

i dont think i have read anything useful from 2host.com,
infact you seemed very defensive about people commenting
it looks like this thread turned into a "flame war" by you even.

*sigh

suggestion for "2host.com":
maybe you should think before you post replys to very experienced linux users.
or maybe you should calm down and not be so defensive?.

ryza

Originally posted by ryza

suggestion for "2host.com":
maybe you should think before you post replys to very experienced linux users.
or maybe you should calm down and not be so defensive?.

ryza

I think he was trying to state that experienced linux users ought to know how to properly partition a system.
Then some people jumped on him, in what I believe at an attempt to justify their current partition scheme, trying to disprove facts... which can't be disputed.

All of his information is correct, heck, he even posted references, what else is needed?

Originally posted by clockwork
All of his information is correct, heck, he even posted references, what else is needed?
Yep. I've been reading Robert's posts now for a while and he could do some brushing up on his people skills :), his posts are always jam packed with good information. He knows his stuff. I like the way he neatly lays out his replies etc. Looks real good.

Originally posted by ryza
i dont think i have read anything useful from 2host.com,


And why in the world would you claim otherwise? Of course you'll say that. I posted explaining that you were wrong. Your reaction is nothing new.


infact you seemed very defensive about people commenting
it looks like this thread turned into a "flame war" by you even.


If you say so. It takes two to tango.


*sigh


*swoon, *fall, *dramatic death scene.


suggestion for "2host.com":
maybe you should think before you post replys to very experienced linux users.


I believe I've shown whom the 'experienced Linux user' is. I put reasonable thought into my responses, posted URL's and examples, reasons and the like.


or maybe you should calm down and not be so defensive?.

ryza

Gosh, I don't know. When I'm no longer attacked by people that lack skills in this field because they don't have the education to know not to disagree with the facts. Worse, when they (the facts) are right in front of their face and they still want to try and say they are right and act like I don't know what I'm talking about. And, don't confuse that for meaning that I'm one of those that thinks I'm only right and no one else is. If the facts are indisputable and posted even, why go on about it and argue about it?

If you don't make an effort to be reasonable, don't expect me to make any effort to go out of my way to try and be your best friend in response. I posted facts, explained why and I was met with more nonsense. If you think that's defensive, it's only to prove what I said, and explain why. I know how that bothers some people, but no other response would make sense.

You know, most anyone else can see this, even if my approach to responding imposes potential for flame wars because I make an effort to be more correct about the facts than to worry about who will show up at my next birthday party.

This isn't a chat room, I'm not trying to make friends. But posting facts and telling someone they are mistaken shouldn't result in making enemies either. You came in posting inaccurate and harmful things that affect many businesses and sites with important data. I felt I should post the facts of the matter.

Going on about how I'm not posting any facts or anything useful, simply because you looked foolish for your response, doesn't mean jack. What more can I say? You come in telling me that what I post isn't true, when you're very wrong, I'll say "You have no idea what you're talking about". Do I expect that will make me a friend? No. Do I expect that it'll start an argument? Usually, it does.

But I would rather post accurate information that any rational person not looking for a fight can relate to and understand, and consider. There's no way to tell someone they are wrong without telling them they are wrong. Your response dictated my attitude in response to say exactly what the facts are. I'm not concerned about anything else. The people that matter, seem to get it, and know I didn't come in with any intention to fight with you. I'd dare say you initiated it and I couldn't just not respond when this affects people's servers. That's all I have to say. Everyone else here has their own mind and can discern for themselves. Allow them to, and end this nonsense. I'm done with it.

my $peoplekills = $peopleskills - 1;

Originally posted by clockwork
I think he was trying to state that experienced linux users ought to know how to properly partition a system."properly" is strictly a matter of opinion. There is no 'one true way' of partitioning a system.
All of his information is correctNo, not all; for example, he tried to claim that partitioning affected the possibility of symlink attacks. This is false. Symlink attacks can be carried out regardless of the partitioning scheme.

But this is beside the point: that he shouldn't be flaming anyone and everyone who doesn't agree with his viewpoint to the letter.

Originally posted by Turbo
"properly" is strictly a matter of opinion. There is no 'one true way' of partitioning a system.
[/QUOTE]

No, there's not a 'set way', but there was 'set ways' of what you _should_ do and _should not_ do.


No, not all; for example, he tried to claim that partitioning affected the possibility of symlink attacks.


If someone can symlink to a file on the same partition, it can allow problems that would not be in existence if you had the file that's being exploited on another partition. And don't go saying that means I said that as long as any file is on another partition that it can't be exploited. I said it can prevent such things as this. And no, I'm not saying it always has to be aimed at a specific target, rather than the method itself.


This is false.


You have no idea what you're talking about. Why don't you read up on this?


Symlink attacks can be carried out regardless of the partitioning scheme.


They can be, but certain attacks can be prevented if the file resides on another system that they are using this method to exploit.


But this is beside the point:


You'd have top make a real, valid point, for it to be 'beside'. Also, you disagreed with many points I made that were right in that URL, in books and other resources. It seems as you are exposed for not knowing or the more facts you slowly digest, that you move down the list to other things to want to claim are false. (Save yourself the trouble and just study it! Than come back if you feel the need.)


that he shouldn't be flaming anyone and everyone who doesn't agree with his viewpoint to the letter.

And ironically, that very same logic should apply to YOU. Or do you fail to see that as well? Oh right, I was making an effort to not respond to anymore of your nonsense. I see there's a neat little "ignore" feature. I think I'll use it. I suggest you read a book or two, maybe do some searches. In the meantime, spare me from accusations of what you yourself are guilty of and basically one of the instigators of, by coming here yelling that I'm wrong when you obviously fail to understand the topic fully.

Originally posted by 2host.com
No, there's not a 'set way', but there was 'set ways' of what you _should_ do and _should not_ do.Says who? The partitioning police?

Nope, that is merely your opinion.

There are no 'set' ways whatsoever.
If someone can symlink to a file on the same partition, it can allow problems that would not be in existence if you had the file that's being exploited on another partition.Are the two partitions mounted with different options; for example, one rw and one ro? If the target of a symlink is on a read-only partition, then quite obviously that would foil a symlink attack. However, you didn't say anything using read-only partitions in your original mentions of "symlink attacks".
You have no idea what you're talking about.
Blah blah blah.Once again it appears you have an unfortunate inability to converse without resorting to immature cheap-shots at every opportunity.

Turbo is not a real sysadmin, but he plays one on WHT.

Originally posted by Turbo

Says who? The partitioning police?


Well, the ignore feature still shows your post. I thought it would killfile you. I'll respond to this then. Yeah, I'm a glutton for it.


Nope, that is merely your opinion.


Well, no. You see, as the URL I posted even outlined, it's not an 'opinion' that this will improve security, data integrity (and also performance, but I don't have a URL handy to educate you about it).


There are no 'set' ways whatsoever.


Well, there are for a better performing file system that's more secure and has better data integrity. Refer to the URL. So, while it's not _required_ for a server to run *I never said it is*, it is not as good and is (more) insecure and involves other issues that make it a BAD idea. People that fail to understand this, need to learn about it. People that don't do it, aren't knowledgeable enough, especially if they think it doesn't make a difference or isn't needed.

People that know about this topic, know this is what they should do. Knowing this, they DO it. Again, feel free to research it, for goodness sakes. I don't understand you. Look at the thread's history, the posts in the order they were posted. You came in saying I was wrong and then challenged me. You just said I was again recently, and now you (even in this post) admit that what I said IS true (in your own little way of not trying to be obvious about me actually being right). Am I not allowed with you? :-)


Are the two partitions mounted with different options; for example, one rw and one ro?


There are more options that read-only. I also did mention them in my previous posts. If you don't believe me, go look. I haven't edited them all of the sudden or anything to show you.


If the target of a symlink is on a read-only partition, then quite obviously that would foil a symlink attack.


That, among other reasons. Reasons which you aren't aware of. Not to offend you, but this is ridiculous. Because *you* don't know, you're getting on *my* case?


However, you didn't say anything using read-only partitions in your original mentions of "symlink attacks".


I said a lot of things in my post where I mentioned this. I said "You can mount partitions with different options". I even mentioned a few. That is right there for you to read, along with everything else. Do you understand why I am so annoyed with you and your nonsense? Now 6 posts from you, this being the only thread you're so emotional about and the only one you're involved in. You just ignoring everything that's right in front of your face, not making any sense, either making up lies or just claiming things out of ignorance or to impress yourself. Look at what is there. It's RIGHT THERE!


Once again it appears you have an unfortunate inability to converse without resorting to immature cheap-shots at every opportunity.

And once again, your post is to ironic and filled with self-guilt. Why do your own rules not apply to you? It seems that you are the type of person that I have to agree with that *I* am wrong about something you don't know about, or I'm guilty of all the things you want to accuse me of. Again, read the post for what it is. You came in challenging me to "prove what I said is true" because I hurt your other personalities feelings by saying they are wrong. You did this, in response to a post WITH that proof, WITH a URL to one of MANY sites about this. Yet you CONTINUE to say that I'm wrong. Yet, even the very last thing you resort to claiming this about, you just mentioned above, that yes, different partitions can indeed "prevent these attacks after all". You NOW claim that "well, you didn't mention read-only".

Look, be it you DIDN'T SEE in my previous post where I DID mention such things, or that you just want to find an excuse to ARGUE and say crap to try and discredit me to make me out to be a guy that starts problems, is irrelevant. I DID say it previously and YOU yourself just have proven that I was correct about THIS last aspect too. WHAT MORE do you WANT? My goodness, you are SO annoying! Not ONCE did you respond with technical reasons why I was wrong and you eventually admit I was right about everything I said. This shows it's NOT an opinion. This shows that if these ARE facts, which they ARE, that it's not my 'opinion' that people should do things how I mentioned only. It's basic stuff, you just chose to argue with me about it.

You are foaming mad, you just enjoy this. Troll and annoy people, challenge what they say and try and discredit them to get a response about a topic you have no knowledge of, and then ironically call THEM immature for responding to YOUR post, even if just with facts (which you eventually agree to). Well, like I said, you're not a very complicated person. (that that for whatever you want). You are a colossal waste of time. THAT will be my last post to you, now that I see the ignore feature just displays everything but the actual content of your post (sitting there, taunting me. :-)

Originally posted by 2host.com
Well, no. You see, as the URL I posted even outlined, it's not an 'opinion' that this will improve security, data integrity (and also performance, but I don't have a URL handy to educate you about it).I have no argument that partitioning can improve security and data integrity. That doesn't mean that it's the only choice, and that it's for everyone in every single scenario.
You came in saying I was wrong and then challenged me.No, I simply didn't say "you were wrong". The only statement I labeled as wrong was your statement about symlinks being more secure on partitioned systems, and you have now clarified that it wasn't a blanket statement, but a statement applicable to certain mount option schemes. In that context, your statement is indeed true.
You just said I was again recently, and now you (even in this post) admit that what I said IS true (in your own little way of not trying to be obvious about me actually being right). Am I not allowed with you? :-)Now that the symlink misunderstanding has been cleared up, I can now agree that all your statements are indeed true.
There are more options that read-only. I also did mention them in my previous posts. If you don't believe me, go look. I haven't edited them all of the sudden or anything to show you.Yes, I am fully aware of this. You did not however associate your statements about mount options with your statements about symlinks.
You are foaming madI am? Compare the average length of your posts to the average length of mine. Next, compare the amount of personal attacks and cheap-shots in your posts to mine. Now, who's really "foaming mad" here?