On 15:41, Sat 17 Dec 05, Andrew Kohlsmith wrote: > On Saturday 17 December 2005 15:18, Michiel van Baak wrote: > > I disagree here. > > You have at least 1 user to remotaly login to the system to > > do some work on it. Think config changes etc. > > In case of unauthorized access (ppl stole your password or > > whatever) you will be glad you have /home on a seperate > > partition that is mounted noexec,nosuid,nodev > > And I disagree with you. :-) My Asterisk installs are minimal. Two > partitions, one for / and one for /var, with /tmp symlinked to /var/tmp. I > have only two accounts log in, root and a script account, both using DSA > keys. I imagine you could put /home in /var/home but really it's not that > critical for me. If someone gains root or the script user access they can > cause a lot more damage than any rootkit.
true. No setup is secure. The only security is disconnecting your system from the net ;) > > > Even better would be to use LVM for /var partitions. > > That way you can easily add extra space to it without the > > hassle of moving around data. > > I use LVM for everything but /. :-) Same here. drbd devices as low-level with lvm on top of it. > > Good tips for general multiuser setups but I dunno; you can secure everything > out the wazoo and just end up with a local root exploit crashing through all > your security. I prefer the minimal approach which doesn't let / fill up and > if someone manages to grab a password... well you're screwed anyway. > minimize the impact to other systems. :-) This is becoming a thread that totally looses track of the OP question. Security is a complex issue and every system/install needs it's own policy. Like I said, I was just posting my own view on things. -- Michiel van Baak http://michiel.vanbaak.info [EMAIL PROTECTED] GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?" _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
