Next, as to partition layout.
I was considering this partition layout:
/boot (ext2), 100M
/swap, 2048G
/ (ext4), 40G
/tmp (ext2), 2G
/var (xfs), 600G
But doing some reading, I stumbled on some other suggestions, like:
Bind /tmp to tmpfs, ie:
tmpfs /tmp tmpfs nodev,nosuid 0 0
Then I read another suggestion to bind /var/tmp to /tmp:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Which means that both /tmp and /var/tmp are now bound to /tmp?
But, I also read one one of these pages that tmpfs should NOT be used
for /var/tmp, because it stores files that need to be persistent across
reboots - is this still true?
My main concerns are security (which dirs should be separate so they can
be mounted as securely as possible, is, nodev noexec and nosuid mount
options)?
1. Should I go ahead and make separate smallish (maybe 1 or 2GB) /home
so I can mount it nodev,noexec,nosuid?
2. Should I make a separate partition for /var/tmp so I can mount it as
nodev,noexec,nosuid, and bind /tmp to /tmpfs as above? Or does the
caveat about /var/tmp storing files that need to be persistent across
reboots no longer apply, and I can bind them both to tmpfs?
3. Dumb question (google didn't give me an answer) - can I mount all of
/var noexec and nosuid? Assuming not...
4. Since I'm running dovecot with a single user (vmail), and dovecot
stores sieve scripts in the users 'home' dir, does this mean I can't
mount that directory with nodev noexec and/or nosuid?
5. Webapps... can I mount the dir where these are installed with
nodev,noexec,nosuid (I still use webapp-config to manage my website
installations, and currently these are in /var/www)?
I'm thinking an alternative would be to put all data that can be stored
on a partition that is mounted nodev,noexec,nosuid, ie:
/virtual
which would contain:
/virtual/home
/virtual/mail
/virtual/www
Maybe I'm overthinking/overcomplicating this, but obviously now is the
time to make these decisions...
So, comments/criticisms welcome as always...
