1

I'm a new sysadmin in the making, have learned that I need to have /tmp and /home directories on separate partitions in order to prevent possibilities of privilege escalation through hard links based attack. Unfortunately my vps host doesn't allow partitioning at all! With that, I'm left with two options...

1) either abandon the host, 2) Ask the experts if this is a serious issue, and if it, then if there is any other way through which we can prevent hard links based attacks!

Are there any further disadvantages of not being able to create partitions in future course of vps management journey?

Looking forward for guidance in this matter. Thanks for your help.

Vishal
  • 11
  • 1
  • What do you mean that they don't allow partitioning? That they don't have any easy way to provide it, or explicitly don't allow it? If your VPS has some kind of console access you should if nothing else be able to do a manual reinstall, setting up the partitions the way you want it. – andol Mar 07 '14 at 06:09
  • You might be able to setup a loopback file system for those mount points. – toppledwagon Mar 07 '14 at 06:17
  • @toppledwagon, is it ok to put the tmp directory on a ssd storage backed vps on a loopback file system? – Vishal Mar 07 '14 at 06:23
  • Thanks folks for replying, but Digitalocean doesn't allow partitioning! – Vishal Mar 07 '14 at 06:35
  • @Vishal then don't do a separate partition, but file and mount it using loopback. – neutrinus Mar 07 '14 at 06:38
  • @neutrinus, won't using a looback filesystem be taxing and will have a significant performance impact? The main issue I'm trying to solve is barring users from being able to create hard links from tmp and home directories.. I even want to secure the home directory! I don't understand how Digitalocean has kept their architecture that they aren't allowing this partitions management! – Vishal Mar 07 '14 at 06:54
  • Using a loopback file system will cause a performance hit, but you didn't list performance as a requirement. It does solve the stated problem. So not prematurely optimize. :) – toppledwagon Mar 07 '14 at 07:15
  • @toppledwagon lolz :) My objective is to prevent hard links and making tmp and home secure! Of course an nfs mount too will have performance impact and so I didn't consider that... So, how much performance impact should I anticipate?? Or do I need to benchmark on my own? Is there any other better way out to this issue of securing these specific directories? Thanks folks! – Vishal Mar 07 '14 at 07:21
  • You'll need to benchmark on your own. There will be *some* hit, but you might not even be able to measure it in your own environment. It'll depend on how much you use /tmp and /home. I'd also recommend mounting /tmp with noexec,nosuid,nodev. I also didn't say anything about nfs, I was suggesting a loopback file system. – toppledwagon Mar 07 '14 at 09:13
  • Which Linux distribution is this? – Michael Hampton Mar 07 '14 at 10:24
  • Yes @toppledwagon, will definitely mount it with noexec,nosuid,nodev,noatime options... Will test it with bonnie++ . Need to make sure how much performance bottleneck it adds up even along with all these device settings. I have to thank you for your help! Parallelly, was wondering how partitions and mounts inside LXCs would have or won't have performance bottlenecks similar to loopbacked mounts! – Vishal Mar 07 '14 at 10:30
  • @MichaelHampton, I'm using debian for now. – Vishal Mar 07 '14 at 10:31
  • This, incidentally, is why the provider makes it clear it's for development systems, not production ones... – Bandrami Mar 07 '14 at 12:39
  • New revelation for me! DO isn't production systems? @Bandrami – Vishal Mar 07 '14 at 13:11

0 Answers0