Subject: Re: Separate /usr, etc...
To: Chuck Yerkes <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 12/17/2002 18:02:43
On Monday, 16 December 2002 at 14:43:36 -0800, Chuck Yerkes wrote:
> I'm a very strong advocate of making /usr separate because I
> mount it read-only. In fact, except for root, if it's got
> a binary on it, it's RO. If it's got data, it's mounted
> noexec, nosuid, nodev. Several reasons. And I've built machines
> where the binaries are on disks PINNED read-only (trojan that!).
It's far easier to get much better read-only coverage of your sensitive
files using the immutable flag -- then you can protect scripts and
binaries and static data files on the root FS too.
Greg A. Woods
+1 416 218-0098; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>