Re: Bits from the Release Team - Kicking off Wheezy

To: Goswin von Brederlow <goswin-v-b@web.de>
Cc: debian-devel@lists.debian.org
Subject: Re: Bits from the Release Team - Kicking off Wheezy
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 3 Apr 2011 22:46:57 -0300
Message-id: <[🔎] 20110404014656.GA9521@khazad-dum.debian.net>
In-reply-to: <[🔎] 87vcyvileh.fsf@frosties.localnet>
References: <20110329095102.GX37987@feta.halon.org.uk> <20110330190917.GG20813@codelibre.net> <20110330194521.GK12748@l04.local> <87d3l8s1w7.fsf@frosties.localnet> <20110330234806.GA22088@khazad-dum.debian.net> <[🔎] 87vcyvileh.fsf@frosties.localnet>

On Sun, 03 Apr 2011, Goswin von Brederlow wrote:
> Henrique de Moraes Holschuh <hmh@debian.org> writes:
> > On Thu, 31 Mar 2011, Goswin von Brederlow wrote:
> >> > /etc/adjtime
> >
> > This needs to survive reboots, and it is also needed early in the boot.
> > It is used to correct the RTC syndrome.
> >
> > I am at a loss about how it could be made compatible with RO /.
> 
> So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate
> fixes it. It doesn't give errors so i can live with that.

*Your* clock is slightly wrong, but there are a lot more than just slightly
wrong clocks out there.  You likely don't leave the box turned off for a
long while, either, and you're usually online so you can use
ntp/chrony/ntpdate.  /etc/adjtime can do wonders to offline boxes, and to
boxes that are not turned on that often.

OTOH, refreshing my knownledge of this stuff (which I haven't needed for a
while because right now I have no boxes that stay offline for too long)
shows that the interaction with a RO / is not too bad (see adjtimex(8),
http://linuxcommand.org/man_pages/adjtimex8.html).

It looks like we can assume that automatic adjustment of /etc/adjtime will
only happen where the local admin really knows what he is doing, and manual
adjustment has never been a problem in the first place.

So, /etc/adjtime must remain where it is, but it can be RO.

> >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)
> >> 
> >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we
> >> have it).
> >
> > Has to be available before any tcp-wrapped network service is started.
> 
> I guess you could just have a /etc/defaults/hosts.deny that you copy to
> /run and link /etc/hosts.deny -> /run/hosts.deny before starting
> tcp-wrapped network services.

No.  The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix
anything that likes to write to them to not do it, and use the extended
syntax that allows one to read the hosts to block/allow from a separate
file.  Maybe add something that updates the files in /etc at shutdown as
well.

Anything else will be playing funny chance games with system security.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: Old Release goal: Getting rid of unneeded *.la / emptying dependency_libs
Next by Date: Re: Old Release goal: Getting rid of unneeded *.la / emptying dependency_libs
Previous by thread: Re: Bits from the Release Team - Kicking off Wheezy
Next by thread: Re: Bits from the Release Team - Kicking off Wheezy
Index(es):
- Date
- Thread