(QUOTE)Without a /var partition, anybody can trash your system over the Internet and render it unbootable. I've both done it and seen it done.

I found this posted to one of my questions.

I have let mandrake 7.0 auto allocate my partition's and i don't recall it creating a /var partition is this a problem?

WEndo

there is nothing wrong with or without a separate /var partition.

I don't think its a problem as long as you keep an eye on how much free space you have. If your root partition gets full I think that will fsk linux up.

Originally posted by mikeparks:
<STRONG>there is nothing wrong with or without a separate /var partition.</STRONG>

craig will disagree, he is the one that has posted several times that a cracker can root you much easier without a seperate /var

i wouldn't know myself :o

these links support craig's position, from google :
http://www.fatpenguin.com/pipermail/sclug/2001-April/000251.html
http://www.linuxvoodoo.com/security/armoring.html
http://www.geocrawler.com/archives/3/302/2000/11/0/4608087/

there are some others , do a google search for "seperate /var partition security" for more

[ 13 June 2001: Message edited by: FoBoT ]

well, i think it only matters if youre running a web server really...

No, any computer ought to have a separate /var partition. All logs are done in /var, and if you run out of space, things will either stop being logged or stop working. Either way, this is a Bad Thing (TM)

If you don't have a seperate /var partition, and you leave your computer connected to the Internet overnight, then yeah, I can probably fill up at least 3GB of your filesystem while you're asleep and can't do anything about it. If we're both on a fast connection, or if you're running Portsentry, or if you're a heavy sleeper, I can probably pull 6+GB in a night or possibly much more.

I'm not even a 1337 h4ck3r d00d, just someone who keeps abreast of security issues. The 13-year-olds who DoS for a living can probably fill 20+GB in a given night if your system is configured right/wrong.

It all depends on what services are running on your computer, how your logging is set up, and how much disk space you have free. So called "secure" systems are easier, because they have security logging software that can make the job a lot faster. But any system will go down eventually.

I got /var bombed by a guy once who filled up 800MB in under half an hour. Extrapolate.

The only defense short of symlinking every single one of your log files to /dev/null (there are even ways around that) is to have a seperate /var partition.

It's your choice. I've been hit by /var bombers three times, but the second and third times they weren't able to touch me because I had a seperate /var partition.

[ 13 June 2001: Message edited by: Craig McPherson ]

A similar attack can be done by a local user if you don't have a separate /tmp partition. If /tmp rests on your / partition, then it's simple to write a script that will fill up /tmp, thus filling up your / partition. If you already have a /var partition, but no /tmp, you can just 'mv -f /tmp /var/tmp; ln -s /var/tmp /tmp' so that /tmp and /var are shared by the same partition.

That's right, it's also a very good idea to symlink /tmp to /var/tmp. I do that on all my systems.

If you have local users you don't trust (not a very good idea, really...), you should also have /home on another partition so they can't fill up your rootfs by dd'ing an endless large file into their home directory, or use quotas.

But most people trust the users on the system not to DoS the system, but don't trust the script kiddies on the Internet to do the same, so it's less important.

i have only:
/ amd swap


...that is because danger is my middle name... ahhhhhh yeaaaa!!

?
I've filled up my / partition several times, I don't understand the danger. 5% of disk space is set aside for root anyways, so things will continue to at least function enough to fix things.

It's not so much a danger that your system can get cracked. Rather, by filling it up, your system can cease to function. For instance, let's say you have a server with user accounts. If your /tmp is shared by / and your / partition fills up, your users will have a lot of problems. First, certain programs must write to /tmp. Since there's no space, the programs will fail. If /var rests on / and / is filled up, then syslog will not be able to append data to the log files. So basically it's more of a denial of service attack. You can recover from it, but it's annoying.

Originally posted by moyix:
<STRONG>5% of disk space is set aside for root anyways, so things will continue to at least function enough to fix things.</STRONG>

Would you like to guess what process the system log daemon runs as?

HINT: It rhymes with "boot"

(Except in Canada, where they pronounce everything wrong anyway.)

how do you set aside a separate partiton for /var and /tmp. Is there a Partition Magic-like prog I need to download? What can I do?

Here's a quick and dirty way:

1. Boot into single-user mode.

2. Create a new partition, mount it as /newvar.

3. cp -ra everything from /var to /newvar

4. Unmount /newvar

5. Move /var to /oldvar

6. Mount the new partition as /var

7. Update your fstab.

8. Reboot the system, make sure the new /var works correctly.

9. When you're sure everything works, delete /oldvar.