On Thu, 14 Jul 2005, Thor Lancelot Simon wrote:

> What you really want is for all filesystems with executables or device
> nodes on them to be mounted r/o, and all other filesystems to be
> mounted nodev, noexec.  If you use null mounts to do it, it is easy
> to maintain these filesystems from the outside while the system is
> running.

Having an example of this in the system--say, with ntpd--would be very
nice.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
      Make up enjoying your city life...produced by BIC CAMERA