[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Release Team - Kicking off Wheezy



[...]
> • Read-only root
> 
>   Depends on /run.  Having /run will allow remaining writable files
>   under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters).
>   Identifying and fixing/removing packages writing to /etc during
>   their normal operation would be a worthy release goal.
> 
>   This will make Debian more secure to run, easier to deploy in a
>   cluster or netboot environment (no writable image overlay required),
>   keeping dpkg-managed filesystems completely read-only during normal
>   operation (other than /var).
> 
[...]

Here's an obviously incomplete list of such files, from a fairly comprehensive
desktop installation. I've taken these from my integrit configuration for a
lenny (!) system - I'd love not to be in need for such a list of exceptions.

/etc/aumixrc
/etc/mtab
/etc/motd
/etc/adjtime
/etc/resolv.conf
/etc/qt3/qt_plugins_3.3rc
/etc/network/run/ifstate
/etc/hotplug/.run/net.enable
/etc/cups/ppd/
/usr/share/ppd/custom/
/etc/cups/classes.conf
/etc/cups/printers.conf
/etc/cups/printers.conf.O
/etc/cups/cupsd.conf
/etc/printcap
/etc/lvm/cache/.cache
/etc/openvpn/openvpn-status.log
/etc/blkid.tab
/etc/blkid.tab.old
/etc/samba/dhcp.conf
/etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)

Hope this helps,
Michael

Attachment: pgp0yyG746atG.pgp
Description: PGP signature


Reply to: