Subject: Re: chflags script?
To: None <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 08/15/1999 18:32:01
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Lex" == Lex Wennmacher <wennmach@geo.Uni-Koeln.DE> writes:
Lex> The latter, unless you reset the sappnd flag on the /etc directory.
Lex> Generally, you want to have the sappnd flag set on /etc, so that it
Lex> becomes impossible to remove or rename /etc. (Directories with the
Lex> sappnd flag set may not be removed nor renamed, nor may files in them
Lex> be deleted, however new files may be created). passwd(1) generates
Lex> temporary files in /etc, which can't be removed anymore.
Lex> Here is what happens if you have the sappnd flag set on /etc:
Okay, no problem. Not being able to change passwords without single user
mode is just fine on a firewall.
I'd like to see something like your NetBSD.secure checked in, perhaps
several different variations, maybe in /usr/share/examples/chflags. I would
be very happy to help maintain it.
Specifically, I'm looking at a CDrom boot that uses rsync to grab
config files from a predefined server. (maybe with a personality floppy,
maybe just assume that one has a burner)
I'm humming and hawing about rsync over SSH or not.
pro: store the private key on the CDrom/floppy, stored offline,
and it means that one might even do updates over
a hostile network.
no new process required on server machine, no firewall
issues, etc. if machine already accepted SSH logins.
only authorized public keys can look at config files
con: SSH is too powerful, so the account has to be treated
SSH is not properly licensed (but lsh, a clone is making headway)
anonymous rsync access involves creating no special priveledges
Ideally, I'd like to be able to do
"cd /usr/src; make install DESTDIR=/myfirewall/root"
and have an appropriate $DESTDIR/etc/mtree/NetBSD.dist and friends created to
store the intended file permissions at the destination.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] firstname.lastname@example.org http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----