On Sun, 03 Apr 2011, Goswin von Brederlow wrote: > Henrique de Moraes Holschuh <h...@debian.org> writes: > > On Thu, 31 Mar 2011, Goswin von Brederlow wrote: > >> > /etc/adjtime > > > > This needs to survive reboots, and it is also needed early in the boot. > > It is used to correct the RTC syndrome. > > > > I am at a loss about how it could be made compatible with RO /. > > So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate > fixes it. It doesn't give errors so i can live with that.
*Your* clock is slightly wrong, but there are a lot more than just slightly wrong clocks out there. You likely don't leave the box turned off for a long while, either, and you're usually online so you can use ntp/chrony/ntpdate. /etc/adjtime can do wonders to offline boxes, and to boxes that are not turned on that often. OTOH, refreshing my knownledge of this stuff (which I haven't needed for a while because right now I have no boxes that stay offline for too long) shows that the interaction with a RO / is not too bad (see adjtimex(8), http://linuxcommand.org/man_pages/adjtimex8.html). It looks like we can assume that automatic adjustment of /etc/adjtime will only happen where the local admin really knows what he is doing, and manual adjustment has never been a problem in the first place. So, /etc/adjtime must remain where it is, but it can be RO. > >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to > >> > fix) > >> > >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we > >> have it). > > > > Has to be available before any tcp-wrapped network service is started. > > I guess you could just have a /etc/defaults/hosts.deny that you copy to > /run and link /etc/hosts.deny -> /run/hosts.deny before starting > tcp-wrapped network services. No. The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix anything that likes to write to them to not do it, and use the extended syntax that allows one to read the hosts to block/allow from a separate file. Maybe add something that updates the files in /etc at shutdown as well. Anything else will be playing funny chance games with system security. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110404014656.ga9...@khazad-dum.debian.net