Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Hans-Werner Hilse wrote: Hi, On Sat, 18 Feb 2006 18:51:21 +0100 Maarten [EMAIL PROTECTED] wrote: Back to the thread... I started wondering about something. I thought a 100% full root filesystem was deadly, but never thought about /tmp. So I'd like to ask, what is more deadly for a system, a full root FS, a full /tmp or a full /var ? Why ? And as a bonus question: which one is worse during boot, and which one is worse on a fully booted and running system ? /tmp shouldn't matter. full/read-only /var will disturb the gentoo rc scripts. When running, programs/daemons may act funny when they can't cope with the situation of full disks (e.g., PHP can't create session files anymore). You can't expect logging to work, too. Assuming it's a database server a full /tmp will cause some issues. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
kashani wrote: Assuming it's a database server a full /tmp will cause some issues. In how far? Neither Oracle nor MySQL write to /tmp. MySQL may create a socket file, which by default resides in /tmp. But /tmp is a rather bad place for such a file anyway... Alexander Skwar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Alexander Skwar wrote: kashani wrote: Assuming it's a database server a full /tmp will cause some issues. In how far? Neither Oracle nor MySQL write to /tmp. MySQL may create a socket file, which by default resides in /tmp. But /tmp is a rather bad place for such a file anyway... Never ran a Mysql query that returned more results than would fit in ram have you? [EMAIL PROTECTED] ~ $ grep tmp /etc/mysql/my.cnf tmpdir = /tmp/ Not sure about other db servers. Also Apache writes session date to /tmp and PHP pear stuff uses /tmp as well. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
kashani wrote: Alexander Skwar wrote: kashani wrote: Assuming it's a database server a full /tmp will cause some issues. In how far? Neither Oracle nor MySQL write to /tmp. MySQL may create a socket file, which by default resides in /tmp. But /tmp is a rather bad place for such a file anyway... Never ran a Mysql query that returned more results than would fit in ram have you? Yes, I have. [EMAIL PROTECTED] ~ $ grep tmp /etc/mysql/my.cnf tmpdir = /tmp/ Okay, default value. Can be changed, though. Not sure about other db servers. Also Apache writes session date to /tmp Don't know where Apache writes session stuff to. It's new to me, that Apache had a session handling at all... I just know the PHP session hadnling. And yes, this, by default, writes to /tmp as well. and PHP pear stuff uses /tmp as well. Possibly, yes. Alexander Skwar -- Hate the sin and love the sinner. -- Mahatma Gandhi -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Alexander Skwar snippage of pedantic nit picking and back peddling Yes Mysql writes to /tmp by default and yes you can change it in which case if that partition is full then you see the same behavior. So we can say that Mysql really wants its temp space to have enough room for it to write and sometimes it needs a few GB rather than a few hundred MB depending on what you're doing and how badly a programmer wrote the query. Ain't no possible about the session data unless you've manually changed this. Apache writes it to /tmp/ because I go and look before I shoot my mount off. [EMAIL PROTECTED] ~ $ ls -l /tmp/ total 84 drwxr-xr-x 3 root root4096 Oct 28 11:11 pear -rw--- 1 apache apache 5155 Nov 11 10:16 sess_6c40c9326faf2c5ab4acf8cc28185962 -rw--- 1 apache apache 1783 Nov 2 11:33 sess_97e700cd3b82b36a9e7fc44cd898df52 -rw--- 1 apache apache30 Jan 13 14:41 sess_c2f99d41593771d2c4ccee93ab6d3355 -rw--- 1 apache apache 1783 Nov 6 22:29 sess_cea4c86ed58f11824519ee8d09205fbb drwx-- 2 kashani users 4096 Feb 19 12:50 ssh-DGEYh15924 kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
On Sat, 18 Feb 2006 01:23:51 +0100, Maarten wrote: You suck AND you are wrong I do not suck. YOU suck! Do NOT! Do TOO! No you suck. And you are wrong... Now what age-group type conversation does that remind you of...? The Internet Age :( -- Neil Bothwick Windows Error #01: No error... ...yet. signature.asc Description: PGP signature
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Ryan Tandy wrote: Maarten wrote: Or else, if /usr can be mounted noexec without trouble, I'll donate 75 bogomips to the FSF. Can we get that in writing, with a signature, creative use of {sym,hard} links and nested mounts notwithstanding? ;) Certainly ;-) Oh well, it only amounts to 23 days of my Athlons' undivided attention. I'll live. ;-) Where trouble is defined as a system that won't run (relatively) smoothly, rather than the amount of effort required to get it in that state... Hehehe. Obviously, yes. LOL Maarten -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
On 18 February 2006 15:05, Maarten wrote: Ryan Tandy wrote: Maarten wrote: Or else, if /usr can be mounted noexec without trouble, I'll donate 75 bogomips to the FSF. Can we get that in writing, with a signature, creative use of {sym,hard} links and nested mounts notwithstanding? ;) Certainly ;-) Oh well, it only amounts to 23 days of my Athlons' undivided attention. I'll live. ;-) 23 days conpressed into one second. That will be the hard part. ;-) Uwe -- Why do consumers keep buying products they will live to curse? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Uwe Thiem wrote: On 18 February 2006 15:05, Maarten wrote: Ryan Tandy wrote: Maarten wrote: Oh well, it only amounts to 23 days of my Athlons' undivided attention. I'll live. ;-) 23 days conpressed into one second. That will be the hard part. ;-) Well, maybe. Depending on your definition of MIPS. :-) And Bogomi sounded kinda weird, you know. But anyway. No, the real hard (or funny, depending on your viewpoint) part is watching those engineers try to execute a single calculation, on their 7500 billion bogomips system-with-usr-mounted-noexec... ;-) Back to the thread... I started wondering about something. I thought a 100% full root filesystem was deadly, but never thought about /tmp. So I'd like to ask, what is more deadly for a system, a full root FS, a full /tmp or a full /var ? Why ? And as a bonus question: which one is worse during boot, and which one is worse on a fully booted and running system ? Maarten Uwe -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Hi, On Sat, 18 Feb 2006 18:51:21 +0100 Maarten [EMAIL PROTECTED] wrote: Back to the thread... I started wondering about something. I thought a 100% full root filesystem was deadly, but never thought about /tmp. So I'd like to ask, what is more deadly for a system, a full root FS, a full /tmp or a full /var ? Why ? And as a bonus question: which one is worse during boot, and which one is worse on a fully booted and running system ? /tmp shouldn't matter. full/read-only /var will disturb the gentoo rc scripts. When running, programs/daemons may act funny when they can't cope with the situation of full disks (e.g., PHP can't create session files anymore). You can't expect logging to work, too. Full/unwritable /etc may disturb some maintenance scripts, mount can't update /etc/mtab. Generally, nothing will prevent the kernel from booting and running any exec that's still readable. So even with full disks, e.g. init=/bin/bash in kernel command line will give a root shell and let you fix things (after remounting the relevant partitions read-write). So on a running system, /var and /tmp are the important trees that are expected to be writable. This should be the same for the gentoo rc scripts, but not the kernel bootup. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
On Friday 17 February 2006 14:36, Rumen Yotov wrote: Hi, Please don't take this post as a signal for more battles. IMHO there are many true facts from both of you. Just a few point, as i have some (limited experience with hardened systems). 1.For 2-3 years using portage-tree in /var/portage, no problems so far, all it takes is a symlink in /usr change in /etc/make.conf file. So i can mount all /usr as 'noexec'. Forgive me for asking, but how is this possible??? The last time I checked (which was 2 minutes ago...), /usr is where almost all the executables on my system are - /usr/bin, /usr/kde/3.x, /usr/libexec, /usr/sbin... I kinda doubt that I'll ever take advantage of a setup like this (at least on this machine), but I am curious as to how that would work. For my own machine (notebook with only a 60g hd), I only run 4 basic partitions... /boot - 70 meg (big just in case I want extra kernels, splash screens, etc.) swap - 1/2 gig - kinda useless, since I upgraded the RAM from 256m to 2g :-) / - 35 gig - everything else Linux 25~ gig or so - Windows partition so I can run games in their native environment without hassles. Now, obviously, I haven't sub-partitioned my Linux stuff, mainly due to my concerns over a lack of space in general - I don't want to have to worry about ANY lost space to allow room on sub-partitions to not fill up to 100%. Now, if I had a 200 gig drive, I might not be so concerned with space, and it might make some sense for me to set up a few extra partitions. But I don't, and this works for my situation. As I said at the start, I'm simply curious how you would manage to mount the main executable storage area of your system as noexec. -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Eric Bliss wrote: On Friday 17 February 2006 14:36, Rumen Yotov wrote: Hi, Please don't take this post as a signal for more battles. IMHO there are many true facts from both of you. Just a few point, as i have some (limited experience with hardened systems). 1.For 2-3 years using portage-tree in /var/portage, no problems so far, all it takes is a symlink in /usr change in /etc/make.conf file. So i can mount all /usr as 'noexec'. Forgive me for asking, but how is this possible??? The last time I checked (which was 2 minutes ago...), /usr is where almost all the executables on my system are - /usr/bin, /usr/kde/3.x, /usr/libexec, /usr/sbin... It is, therefore, logically not possible. I believe, in all the mess that this thread has developed into, that Rumen simply confused 'noexec' with 'ro'. Shit happens... :-) This must be the explanation for sure. Or else, if /usr can be mounted noexec without trouble, I'll donate 75 bogomips to the FSF. Maarten P.S.: The thread this derived from has to be the most lame discussion I have witnessed in ages, and I've seen a few. First and foremost because neither of you took the simple effort to run two trivial 'find' commands to try and prove the other guy wrong. It is a shame, because at first, you both said some things that were 'insightful'[tm]... Most people would try to strengthen their positions by coming up with some proof, some good arguments, but that is SO totally absent here... No proof, nor examples, nor whatsoever... All you two did manage to say was really just an endless loop of-- Wrong Not wrong, right. No, you're wrong I'm right, you are wrong You are a thousand times wrong No, it is you who are infinitely wrong You are wrong infinitely plus one I am right, have always been right, and you suck No YOU suck I may suck but that is because you know I'm right You suck AND you are wrong I do not suck. YOU suck! Do NOT! Do TOO! No you suck. And you are wrong... Now what age-group type conversation does that remind you of...? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] /usr as noexec? (was GB for / partition flamewar)
Maarten wrote: Or else, if /usr can be mounted noexec without trouble, I'll donate 75 bogomips to the FSF. Can we get that in writing, with a signature, creative use of {sym,hard} links and nested mounts notwithstanding? ;) Where trouble is defined as a system that won't run (relatively) smoothly, rather than the amount of effort required to get it in that state... -- gentoo-user@gentoo.org mailing list