[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Release Team - Kicking off Wheezy

On Sun, 03 Apr 2011, Goswin von Brederlow wrote:
> Henrique de Moraes Holschuh <hmh@debian.org> writes:
> > On Thu, 31 Mar 2011, Goswin von Brederlow wrote:
> >> > /etc/adjtime
> >
> > This needs to survive reboots, and it is also needed early in the boot.
> > It is used to correct the RTC syndrome.
> >
> > I am at a loss about how it could be made compatible with RO /.
> So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate
> fixes it. It doesn't give errors so i can live with that.

*Your* clock is slightly wrong, but there are a lot more than just slightly
wrong clocks out there.  You likely don't leave the box turned off for a
long while, either, and you're usually online so you can use
ntp/chrony/ntpdate.  /etc/adjtime can do wonders to offline boxes, and to
boxes that are not turned on that often.

OTOH, refreshing my knownledge of this stuff (which I haven't needed for a
while because right now I have no boxes that stay offline for too long)
shows that the interaction with a RO / is not too bad (see adjtimex(8),

It looks like we can assume that automatic adjustment of /etc/adjtime will
only happen where the local admin really knows what he is doing, and manual
adjustment has never been a problem in the first place.

So, /etc/adjtime must remain where it is, but it can be RO.

> >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)
> >> 
> >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we
> >> have it).
> >
> > Has to be available before any tcp-wrapped network service is started.
> I guess you could just have a /etc/defaults/hosts.deny that you copy to
> /run and link /etc/hosts.deny -> /run/hosts.deny before starting
> tcp-wrapped network services.

No.  The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix
anything that likes to write to them to not do it, and use the extended
syntax that allows one to read the hosts to block/allow from a separate
file.  Maybe add something that updates the files in /etc at shutdown as

Anything else will be playing funny chance games with system security.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: