# Partition Scheme



## wisdown (Feb 22, 2014)

Hey guys,

On FreeBSD the security practices from Linux applies also on partitioning the HD?

Usually I do something like this (on Linux):


```
/boot		ext4		primary
/			ext4		logic		
/var			ext4		logic		nodev,nosuid,noexec
/var/log		ext4		logic		nodev,nosuid,noexec
/usr			ext4		logic		ro, nodev
/home		ext4		logic		nodev, nosuid
/tmp			tmpfs	logic		nodev,nosuid,noexec
swap			primary
```

I'm trying focusing on security, this should be fine or there other best practice?
The Handbook doesn't have examples for this specific situation, instead, say to keep the default installation.

Thanks in advance.


----------



## kpa (Feb 22, 2014)

Do not put /boot on a separate partition unless you absolutely have to do it (for example when using a geli(8) encrypted system), there are no security gains by using a separate partition for it.


----------



## wisdown (Feb 22, 2014)

Thanks for the reply @kpa!

I forget to say, on Linux I use LVM + Encryption, because this /boot have an separate partition.
I'm willing do same  thing on FreeBSD, ZFS + Encryption.

For now I'm trying get the layout scheme for install in multiple virtual machine.

(I'm testing how decrease the RAM for ZFS, today i'm testing this guide https://wiki.freebsd.org/ZFSTuningGuide - my goal is use 512 MB for ZFS in each virtual machine saving RAM from host - or in other words 512 MB RAM for ZFS + 256 MB RAM for OS + X RAM for applications.)


----------



## trh411 (Feb 22, 2014)

wisdown said:
			
		

> Thanks for the reply @kpa!
> 
> I forget to say, on Linux I use LVM + Encryption, because this /boot have an separate partition.
> I'm willing do same  thing on FreeBSD, ZFS + Encryption.


If you are planning on using ZFS, your proposed disk partitioning is irrelevant. A ZFS installation will create a single zroot zpool on a single disk partition (for non-mirrored setups) and create individual datasets (filesystems) for /, /tmp, /usr and /var, and numerous child datasets of the aforementioned, in the zroot zpool.


----------



## ralphbsz (Feb 22, 2014)

Can someone explain to my why fragmenting the "system" directories into multiple file systems improves security, with perhaps the exception of /tmp and /var/spool being on a separate file system?

If someone manages to get onto the system as a normal user (or already is a normal user), then normal access control should prevent them from doing anything harmful, other than perform a denial-of-service attack by overusing shared disk space that they can write to (perhaps indirectly), which is the /tmp directory, and the spool directories for outgoing mail and print jobs.

If someone manages to become root, then no partitioning scheme will help anyhow, as they can simply do a `dd if=/dev/zero of=/dev/adaxx`, and be done with this machine and all its file systems.

I see the real purpose of segregating file systems in preventing snafus (mostly inadvertent, don't ascribe to malice what can be explained by incompetence) due to running out of disk space.  For example, on my home machine I run `mt-daapd` (the iTunes music server), which has the nasty habit of logging an insane amount to /var/log, and I need to frequently trim its logs to prevent it from running the system into the ground.  But the correct solution for this problem would be a quota system, for example using ZFS.

On a performance-oriented system, there may be other good reasons to partition file system, for example put file systems that have mostly small IO reads onto SSD, ones that mostly have large sequential writes and appends onto fast spinning disks (unless they call fsync all the time, in which case you may want a log- or journal-based solution using SSDs for the small writes), and rarely accessed capacity-bound file systems onto high-capacity disks.  But I think most home systems and small commercial servers don't have that kind of performance need on their system directories (excluding /home and the directories for servers, such as NFS, CIFS, database, web).

Personally, I still partition my root disk, but that's mostly force of habit.


----------



## wblock@ (Feb 22, 2014)

Splitting some directories out allows them to be mounted with different options, like noexec or nosuid.  But also remember that a lot of Linux distributions don't have the clear separation of base system and applications that FreeBSD has, and sometimes end up with application data in what FreeBSD would call system directories.


----------

