On Feb 3, Greg A. Woods wrote
> [...]
> > The box I set up has / mounted read-only (this needs some tweaks in
> > /etc and /var, and / is first mounted r/w and remounted ro later, after syslog
> > has created /dev/log). /usr is mounted nodev , /home and /var nodev,noexec.
> 
> These are definitely good ideas too....  I wonder if it is possible to
> make such a configuration generic enough that the default system could
> enable it with a flick of a switch in /etc/rc.conf.
> 

That's devinitively not easy: there's too many things which needs to be R/W in
/etc, including passwd databases.
This works for me because users can only log in from network, and all
networks daemon are chrooted in /netroot/, and /netroot/etc is a symlink to
/netroot/var/etc.
Now that we have nsswitch, we could add a passwd method where users
entries would be in /etc/passwd, /etc/pwd.db and only the passwd would be
stored elsewhere (which means a getpwent() as root would have to read
2 files: /etc/passwd for the generic entry and this other file to fill in
the crypted passwd field).

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--