--3FyYKcuUbgqNYeqV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 01, 2006 at 05:30:10PM +0200, Geert Hendrickx wrote:
> On Mon, May 01, 2006 at 08:08:26AM -0400, Greg Troxel wrote:
> > The only other approach I can think of is to change mtree to allow
> > certain deviations, like mode 444 when it should be 644, and
> > symlinks to a file/dir of the right type and mode.
>=20
> I thought of this, but I suppose this will not survive an upgrade?
> (i.e. I have to redo this change after every update of the OS) =20
>=20
> I'd prefer some sort of config option in /etc/security.conf, like
> "skip_mtree=3D/etc/named.conf /etc/namedb".  I'll have a look at
> implementing that. =20
>=20
> It could be useful for other security false positives, too.  e.g., I
> set looser permissions on some device nodes, like /dev/sd0* (for USB
> devices), which also results in daily security messages. =20

security.conf(5):

 check_mtree   This runs mtree(8) to ensure that the system is installed
               correctly.  The following configuration files are checked:

               /etc/mtree/special
                     Default files to check.

               /etc/mtree/special.local
                     Local site additions.


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--3FyYKcuUbgqNYeqV
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (NetBSD)

iD8DBQFEViw7iwjDDlS8cmMRAp0BAJ9eEljulYPuCbhQxJNJZ+9hpIRErgCfbkwG
VmJaZIJObTnzANBpFidMYQg=
=/F7I
-----END PGP SIGNATURE-----

--3FyYKcuUbgqNYeqV--