Re: Bits from the Release Team - Kicking off Wheezy

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: Goswin von Brederlow <goswin-v-b@web.de>, debian-devel@lists.debian.org
Subject: Re: Bits from the Release Team - Kicking off Wheezy
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Mon, 04 Apr 2011 09:52:53 +0200
Message-id: <[🔎] 87lizqzc4q.fsf@frosties.localnet>
In-reply-to: <[🔎] 20110404014656.GA9521@khazad-dum.debian.net> (Henrique de Moraes Holschuh's message of "Sun, 3 Apr 2011 22:46:57 -0300")
References: <20110329095102.GX37987@feta.halon.org.uk> <20110330190917.GG20813@codelibre.net> <20110330194521.GK12748@l04.local> <87d3l8s1w7.fsf@frosties.localnet> <20110330234806.GA22088@khazad-dum.debian.net> <[🔎] 87vcyvileh.fsf@frosties.localnet> <[🔎] 20110404014656.GA9521@khazad-dum.debian.net>

Henrique de Moraes Holschuh <hmh@debian.org> writes:

> On Sun, 03 Apr 2011, Goswin von Brederlow wrote:
>> Henrique de Moraes Holschuh <hmh@debian.org> writes:
>> > On Thu, 31 Mar 2011, Goswin von Brederlow wrote:
>> >> > /etc/adjtime
>> >
>> > This needs to survive reboots, and it is also needed early in the boot.
>> > It is used to correct the RTC syndrome.
>> >
>> > I am at a loss about how it could be made compatible with RO /.
>> 
>> So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate
>> fixes it. It doesn't give errors so i can live with that.
>
> *Your* clock is slightly wrong, but there are a lot more than just slightly
> wrong clocks out there.  You likely don't leave the box turned off for a
> long while, either, and you're usually online so you can use
> ntp/chrony/ntpdate.  /etc/adjtime can do wonders to offline boxes, and to
> boxes that are not turned on that often.
>
> OTOH, refreshing my knownledge of this stuff (which I haven't needed for a
> while because right now I have no boxes that stay offline for too long)
> shows that the interaction with a RO / is not too bad (see adjtimex(8),
> http://linuxcommand.org/man_pages/adjtimex8.html).
>
> It looks like we can assume that automatic adjustment of /etc/adjtime will
> only happen where the local admin really knows what he is doing, and manual
> adjustment has never been a problem in the first place.
>
> So, /etc/adjtime must remain where it is, but it can be RO.

That was what I was saying. You cut the part about running read-write
for a while to get the /etc/adjtime primed.

>> >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)
>> >> 
>> >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we
>> >> have it).
>> >
>> > Has to be available before any tcp-wrapped network service is started.
>> 
>> I guess you could just have a /etc/defaults/hosts.deny that you copy to
>> /run and link /etc/hosts.deny -> /run/hosts.deny before starting
>> tcp-wrapped network services.
>
> No.  The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix
> anything that likes to write to them to not do it, and use the extended
> syntax that allows one to read the hosts to block/allow from a separate
> file.  Maybe add something that updates the files in /etc at shutdown as
> well.

Works too. I hope that extended syntax allows mentioning a file that is
not yet there. Or would you then get errors about file not found early
during boot?

> Anything else will be playing funny chance games with system security.

MfG
        Goswin

Reply to:

References:
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Flaming as a way to reach technical quality? No! (was: network-manager as default? No! (was: Bits from the Release Team - Kicking off Wheezy))
Next by Date: Back to technical discussion? Yes! (was: network-manager as default? No!)
Previous by thread: Re: Bits from the Release Team - Kicking off Wheezy
Next by thread: Re: Bits from the Release Team - Kicking off Wheezy
Index(es):
- Date
- Thread