On 03/14/2012 18:14, David Leverton wrote: > On 14 March 2012 21:04, Greg KH <gre...@gentoo.org> wrote: >> Haveing a separate /usr is wonderful, and once we finish moving /sbin/ >> and /bin/ into /usr/ it makes even more sense. See the /usr page at >> fedora for all of the great reasons why this is good. > > My point was examine, in detail, whether separate-/usr-with-initramfs > has any disadvantages compared to separate-/usr-without-initramfs. > Either it has, in which case we have a concrete argument against > requiring initramfs (albeit possibly one that can be fixed), or it > hasn't, which should hopefully convince at least some people to accept > it.
I went with a split filesystem design when I built my first Gentoo install back in mid 2003 because at the time, both the Gentoo and Debian security guides referenced it as being an option for a more secure system. Specifically so that you could apply mount options to each partition. For example, on /home, you would usually want to do nodev and nosuid, because rarely does a user need the ability to create device nodes and SUID binaries. On /var, nodev, nosuid, and noexec, with the one exception if you ran qmail or a few other packages known to stick executables into /var. For /usr, the guides suggested just nodev, because you rarely, if ever need to create device nodes in /usr. Optionally, you could mount /usr ro and only make it rw if updating packages. You won't find A separate /usr mentioned specifically anymore in either security guide, but I'm sure if you dig on the Wayback Machine (once it comes back online), you can probably find these references. Search from 2003 to 2007. I'm not certain when they were removed. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
signature.asc
Description: OpenPGP digital signature