[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Release Team - Kicking off Wheezy

Henrique de Moraes Holschuh <hmh@debian.org> writes:

> On Sun, 03 Apr 2011, Goswin von Brederlow wrote:
>> Henrique de Moraes Holschuh <hmh@debian.org> writes:
>> > On Thu, 31 Mar 2011, Goswin von Brederlow wrote:
>> >> > /etc/adjtime
>> >
>> > This needs to survive reboots, and it is also needed early in the boot.
>> > It is used to correct the RTC syndrome.
>> >
>> > I am at a loss about how it could be made compatible with RO /.
>> So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate
>> fixes it. It doesn't give errors so i can live with that.
> *Your* clock is slightly wrong, but there are a lot more than just slightly
> wrong clocks out there.  You likely don't leave the box turned off for a
> long while, either, and you're usually online so you can use
> ntp/chrony/ntpdate.  /etc/adjtime can do wonders to offline boxes, and to
> boxes that are not turned on that often.
> OTOH, refreshing my knownledge of this stuff (which I haven't needed for a
> while because right now I have no boxes that stay offline for too long)
> shows that the interaction with a RO / is not too bad (see adjtimex(8),
> http://linuxcommand.org/man_pages/adjtimex8.html).
> It looks like we can assume that automatic adjustment of /etc/adjtime will
> only happen where the local admin really knows what he is doing, and manual
> adjustment has never been a problem in the first place.
> So, /etc/adjtime must remain where it is, but it can be RO.

That was what I was saying. You cut the part about running read-write
for a while to get the /etc/adjtime primed.

>> >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)
>> >> 
>> >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we
>> >> have it).
>> >
>> > Has to be available before any tcp-wrapped network service is started.
>> I guess you could just have a /etc/defaults/hosts.deny that you copy to
>> /run and link /etc/hosts.deny -> /run/hosts.deny before starting
>> tcp-wrapped network services.
> No.  The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix
> anything that likes to write to them to not do it, and use the extended
> syntax that allows one to read the hosts to block/allow from a separate
> file.  Maybe add something that updates the files in /etc at shutdown as
> well.

Works too. I hope that extended syntax allows mentioning a file that is
not yet there. Or would you then get errors about file not found early
during boot?

> Anything else will be playing funny chance games with system security.


Reply to: