[sf-lug] filesystem for a 3TB external USB drive
jim at systemateka.com
Tue Jan 3 19:03:48 PST 2012
Seems like a few of these considerations might be a
good basis for determining partitioning, yes?
On Tue, 2012-01-03 at 18:56 -0800, Rick Moen wrote:
> Quoting Paul Ivanov (pi at berkeley.edu):
> > Thanks for this, Rick - I learned something. Specifically your
> > particular uses of 'ro' and 'noatime'. I'm inferring that
> > the purpose of ro is for security, is this correct, or are there
> > other reasons?
> My use of 'ro' on most filesystems of type ext2 is so that (1) they're
> always synced while mounted 'ro', and cannot have long fsck times and
> possible filesystem corruption upon accidental reboots (the aspect that
> removes the usual disadvantages of ext2, in that particular use case),
> and (2) affected filesystems are that much more difficult for a clumsy
> sysadmin (or a process run with system authority) to screw them up.
> You will notice that the ones mounted normally read-only are the ones
> that are normally static, such as /usr. That filesystem (except for the
> /usr/local portion of it) doesn't change except when you
> install/remove/update software. So, I leave it normally 'ro', and
> include a dpkg hook to automatically remount 'rw' before package
> operations and remount 'ro' after them.
> Protecting the system against a clumsy sysadmin is arguably a sort of
> security reason. (The administrative user is usually the largest single
> threat to the system's integrity.) One might also hope that 'ro'
> filesystems might be a bit more resistant to canned, automated attack
> scripts, in the sense of limiting the damage they can easily do, the way
> they are usually written by default. However, a well-written attack
> tool that has managed to achieve root access can always remount 'ro'
> filesystems as 'rw' before acting.
> > The noatime performance trick also looks like a gem - I didn't know
> > about it.
> Beware of (rare) software that relies on the atime field being updated.
> Some MTAs need their mail spool files to have that datum be accurate,
> for example.
> sf-lug mailing list
> sf-lug at linuxmafia.com
> Information about SF-LUG is at http://www.sf-lug.org/
More information about the sf-lug