[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Release Team - Kicking off Wheezy

> • Read-only root
>   Depends on /run.  Having /run will allow remaining writable files
>   under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters).
>   Identifying and fixing/removing packages writing to /etc during
>   their normal operation would be a worthy release goal.
>   This will make Debian more secure to run, easier to deploy in a
>   cluster or netboot environment (no writable image overlay required),
>   keeping dpkg-managed filesystems completely read-only during normal
>   operation (other than /var).

Here's an obviously incomplete list of such files, from a fairly comprehensive
desktop installation. I've taken these from my integrit configuration for a
lenny (!) system - I'd love not to be in need for such a list of exceptions.

/etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)

Hope this helps,

Attachment: pgp0yyG746atG.pgp
Description: PGP signature

Reply to: