Le dimanche 23 août 2015 à 18:54 +0200, Niels de Vos a écrit : > On Sat, Aug 22, 2015 at 07:16:31PM +0200, Emmanuel Dreyfus wrote: > > Hello > > > > We have a rogue test that appends log data to an incorrect open file > > descriptors, clobebring various system and library files with logs. That > > quickly renders regression slaves unusable. > > > > I tried an exepriment to thwart that threat: NetBSD FFS filesystem > > features an immutable flag, which tells even root cannot modify the > > file. I applied it on nbslave7[1-j] for the following files and > > directories (and their children) > > /.cshrc /.profile /altroot /bin /boot /boot.cfg /etc /grub /lib /libdata > > /libexec /netbsd /netbsd7-XEN3PAE_DOMU /opt /rescue /root /sbin /stand > > /usr > > > > Let me know if it is too wide and causes trouble. If anyone wants to > > experiment: > > Recursively (-R) installs the flag in /usr: > > chflags -R uchg /usr > > Recursively remove it: > > chflags -R nouchg /usr > > > > We also have schg/noschg, which can be set at any time but can only be > > removed by root in a single-user shell. I ruled out this because I am > > not sure rackspace console access lets us use single user mode. > > Great idea! I was thinking of something like SElinux, but that is > obviously not available for NetBSD. > > Thanks for setting this up and checking on its progress,
I wonder if we could do something with ostree, since that would make the system readonly. -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-infra mailing list [email protected] http://www.gluster.org/mailman/listinfo/gluster-infra
