partitions suggestions for RH webserver

complus · 08-18-2003, 02:15 PM

I was wondering if anyone can give me some guidelines on how I should partition my hard drive.

My server is a Dell PowerEdge 1650. ITs a Pentium 1266Mhz processor with 256MB RAM (do I need more??) and 20GB HD. It will be used as a web server. I will be hosting one website from this machine, and I am not storing any data. I don't really require home directories...

When I choose the automatic partition I get:

Code:

Device           Start  End    Size(MB)   Type    Mount Point  
--/dev/sda            
  --/dev/sda1     1     6        47       ext3      /boot
  --/dev/sda2     7     2148   16802      ext3      /
  --/dev/sda3    2149   2213     510      swap

Is this sufficient and / or safe?? Basically I have the following needs of the web server:
1. Serve approx 100 static html pages with Apache
2. Serve approx 5 pages that run an OLDP transaction with our backend UNIX system.
3. Serve approx 10 JSP and run approx 10 Java programs with Tomcat

The website will be accepting payment for a service, and send data off to a processor. As I mentioned, I am not using any type of database to store any data (not storing cardholder data). The traffic won't be that heavy in the beginning. Later, we will be added an IVR system that will also use my web server to process credit card transactions.

Should I have my web app on a separate partition than everything else? (I'm not even sure if this is possible)

For example, have:
1)root partition
2)boot partition
3)swap partition
4)webapps partition (has all apache and tomcat config files, and pages/programs to be served)

I am not completely clear on the purpose of the partitions other than keeping data separated. I'm not sure if separating things on partitions help to make a more secure server? For example if my website gets hacked, and I have the webapp on a separate partition, can I prevent the rest of my server from being touched?

Thanks for the help.

jdruin · 08-18-2003, 02:43 PM

One source (Maximum Linux Security) suggests that having data on separate partitions does protect other partitions should a program on anyone partition by pahcked. The author suggested SUID programs as a security risk if they occupy the same partition as root.

SUID programs executes with the owners privilages regardless of who runs them. If a SUID program is owned by root, it executes with root priviliges no matter who executes it. Some examples of SUID programs that are owned by root are:

ping
su
mount
umount
crontab
rpc
rlogin
etc...

To take advantage of the sparate partitions, you can go to fstab and mount the partitions 'no setuid'.

As to what partitions you should have, not sure. The example I see is:

/
/tmp
/var
/home
/usr

all of separate partitions.

MacKtheHacK · 08-18-2003, 02:55 PM

It doesn't really matter for your purposes. Creating a separate filesystem to put all your web server data on isn't going to make it any more secure. If someone cracks your system, they're going to be able to access any files on any mounted filesystem, regardless of what filesystem it is on.

Creating multiple filesystems can be useful if you expect to be running out of disk space. For example, if you have interactive users, you normally put all their home directories in a separate filesystem (/home). That way, if they fill it up, there's still space in the / filesystems for the system to use. If you didn't make /home a separate filesystem, then when users used up all your disk space, the system wouldn't even be able to log the errors and the whole thing would grind to a halt. Separating things into separate filesystems prevents such situations.

Because you're not expecting any dynamic creation of data on your web server, your disk is unlikely to fill up like this. The only thing that might make this happen is if you're not rotating your log files frequently enough and they fill up the disk. With 20GB to serve 100 pages, that's not going to happen if you rotate logs properly.

BTW: I'm saying "filesystem" here instead of "partition" because when you're talking about / or /boot or /home you're referring to the logical filesystem built within a disk partition (or spanning several disk partitions if you're using Logical Volume Management). Partitions refer to physical disk devices, such as /dev/hda3, while filesystems refer to the logical structure of your data. Just a minor distinction.

complus · 08-18-2003, 03:02 PM

Thank you both for your posts. I'm actually not worried about running out of disk space. My concern was whether or not there was a way to restrict the access to the separate 'filesystems'.

If I understand you correctly, then the actual partition is the /dev/hda, and the /dev/hda1-3 are the filesystems??

MacKtheHacK · 08-18-2003, 03:57 PM

>... the actual partition is the /dev/hda, and the /dev/hda1-3 are the filesystems??

Well, no. /dev/hda is the entire disk. /dev/hda1, /dev/hda2, etc. are partitions on that disk. You create filesystems within those partitions (with the mkfs command), and mount them at directory pathnames like / or /var or /home. Yeah, I misspoke: partitions refer to *parts* of the physical devices. Sorry about that.

jdruin is right about the SETUID thing; I had forgotten about that. The idea is that you put all directories that normal users can write to in filesystems mounted with the "nosetuid" option. Then even if they manage to create a file with the setuid permission bit on, the system will ignore it.