On Wednesday, 4. May 2005 22:55, Hubert Feyrer wrote:
> On Wed, 4 May 2005, Klaus Klein wrote:
> >> No devices on /usr		-> mount -o nodev
> >> No setuid programs in /var	-> mount -o nodev,nosuid
> >>
> >> Adding "noexec" in various places may cause too much damage
> >> (e.g. for running DEINSTALL scripts from /var/db/pkg, configure
> >> scripts, etc).
> >
> > You mean "damage" as in no device nodes being available to
> > daemons chrooted to /var/chroot, which is the setup we happen
> > to recommend?  At the very least this deserves a comment about
> > the consequences.
> 
> True... I think adding a test if /var is mounted nodev may be even better.
> I'll have a look.

I believe this would really make the matter more complicated than
it needs to be; if the daemon chroot is mounted nodev, then what
next?

Also, a point gone missing here is thatm with the clock accuracy you
get from the typical COTS machine, you're very likely to end up
running ntpd, and in that case the suggested mount option will bite
you.


- Klaus