> >> You can add it at any point. It just means that binaries in /usr > >> which do PROT_WRITE|PROT_EXEC mappings will succeed (with a warning, > >> of course). > >> > >> Over time, these semantics will probably change. > > > > If you would like the protection then I don't see any need to reinstall > > btw. > > > > I'm guessing (could be wrong) /usr isn't huge (so won't take ages) but > > it's dead easy to gain the protection by using cp -Rp /usr to /home/usr > > > > Then simply delete the /usr in disklabel and create a /usr > > and /usr/local and copy back /home/usr to /usr and /home/usr/local > > to /usr/local because cp is static and in the / root fs so you don't > > even need to reboot, of course you would have to consider running > > programs read requirements on those filesystems. > > > > So you are talking about moving /usr from its own filesystem to /. > Careful with that. If you follow the auto disklabel defaults, / is > usually max 1GB and after a couple of upgrades /usr can easily get > too big for that (new libraries, new perl versions, etc). I would > rather take longer to do a dump/repartition/restore (or do some > other carving up/rejiggling of partitions) rather than leave a > timebomb for my future self, updates with too little space for > /usr are not very funny.
Sorry, no, I should have been clearer. Yeah, I meant creating two partitions in the previous /usr location with disklabel and not in the root filesystem. Sorry if anyone did otherwise but I assume it wouldn't fit. -- KISSIS - Keep It Simple So It's Securable
