On Wed, 4 May 2005, Klaus Klein wrote:
>> No devices on /usr		-> mount -o nodev
>> No setuid programs in /var	-> mount -o nodev,nosuid
>>
>> Adding "noexec" in various places may cause too much damage
>> (e.g. for running DEINSTALL scripts from /var/db/pkg, configure
>> scripts, etc).
>
> You mean "damage" as in no device nodes being available to
> daemons chrooted to /var/chroot, which is the setup we happen
> to recommend?  At the very least this deserves a comment about
> the consequences.

True... I think adding a test if /var is mounted nodev may be even better.
I'll have a look.


  - Hubert

-- 
NetBSD - Free AND Open!      (And of course secure, portable, yadda yadda)