On Fri, Oct 17, 2003 at 09:05:04AM -0700, Christian G. Warden wrote:
> we have the same problem with english.
>
> $ dict security
> 2 definitions found
>
> >From Webster's Revised Unabridged Dictionary (1913) [web1913]:
>
> Security \Se*cu"ri*ty\, n.; pl. {Securities}. [L. securitas: cf.
> F. s['e]curit['e]. See {Secure}, and cf. {Surety}.]
> [...]
> (c) Freedom from risk; safety.
> [...]
Ok, how about wrapping this thread up sometime soon. The semantics and
philosophical issues can be discussed in much greater depth than they have
been so far, but preferably not on deb-sec. Here are some observations:
Making /usr read-only is not likely going to be an option in
debian-installer any time soon. The question is whether to mention the
possibility of doing it in any documentation. It's not much of a defense
against a cracker, and only useful against an automated attack that doesn't
check for it, in terms of security, so the Debian security manual isn't an
obvious place for it. It's the sort of thing that could get mentioned as a
possibly-useful-for-some-systems kind of thing in with other sysadmin tips
and tricks.
Any docs that do mention it should include info on how to tell apt to mount
it read-write before running dpkg, and read-only again after:
DPkg {
// Auto re-mounting of a readonly /usr
Pre-Invoke {"mount -o remount,rw /usr";};
Post-Invoke {"mount -o remount,ro /usr";};
}
from:
http://lists.debian.org/debian-devel/2001/debian-devel-200111/msg00212.html
(note the caveat that dpkg could sometimes leave running processes with file
descriptors open on deleted files, preventing /usr from being remount ro
again.)
So, as I see it, mounting /usr read-only is of minor benefit, and is only
even possible for people who have /usr on a filesystem by itself, or with
other read-only stuff. It's worth a mention somewhere, but shouldn't be
promoted as a best-practice or something that all good admins do. If a
particular system would really benefit from it, the admin probably just
needs to see the idea mentioned, not see a big list of effects on systems in
general.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cor , des.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC
Attachment:
signature.asc
Description: Digital signature