On Sun, Aug 16, 2009 at 6:46 PM, Nick
Holland<n...@holland-consulting.net> wrote:
> Okai Mood wrote:
>> OpenBSD Misc,
>>
>> I have installed OpenBSD 4.5 and applied the patches that have been
>> issued, as per FAQ "10.15 - Applying patches in OpenBSD". My only
>> question is, is there anything I need to do to clean up /usr/src after
>> the patching and compiling is over?
>
> nope. Any needed cleanup will be taken care of at the start of the
> next build cycle.
> (possible exception: the patch files themselves, but I really don't
> think they will be big enough to cause you any problems, and leaving
> them in place might help remind you what patches have been applied
> and which haven't.)
>
>> Also, is it recommended to keep
>> /usr/src on a separate partition?
>
> Certainly not a bad thing.
>
> If you look at the default install on a "big" disk for 4.6, you see
> the following partitions and how they are mounted:
> /dev/wd0a on / type ffs (rw, local)
> /dev/wd0k on /home type ffs (rw, local, nodev, nosuid)
> /dev/wd0d on /tmp type ffs (rw, local, nodev, nosuid)
> /dev/wd0f on /usr type ffs (rw, local, nodev)
> /dev/wd0g on /usr/X11R6 type ffs (rw, local, nodev)
> /dev/wd0h on /usr/local type ffs (rw, local, nodev)
> /dev/wd0j on /usr/obj type ffs (rw, local, nodev, nosuid)
> /dev/wd0i on /usr/src type ffs (rw, local, nodev, nosuid)
> /dev/wd0e on /var type ffs (rw, local, nodev, nosuid)
>
> In addition to some logistical benefit, there is a security benefit
> here. Only root has write access to anything in most of /usr, with the
> exceptions of /usr/src, /usr/obj. Those two directories can, by
> default, be written by anyone in the wsrc group. Note that those two
> directories are "nosuid", which reduces some of the mischief someone
> in the wsrc group could get into. This keeps with the general theme
> of, "directories where users can write should be nosuid, nodev, areas
> that have to be mounted to permit devices and setuid apps need to be
> not writable by non-root users".
Good points. This brings up a question I have meant to ask. Since we
are giving "sources" their own mount point, wouldn't it makes sense to
have a different name for this mount point (other than /usrc/src) so
that both /usr/ports and /usr/xenocara can also reside there? As is,
with the layout the installer suggests/offers, you are left with
/usr/{ports,xenocara} in the /usr.
What I've done on my -current system, I have a /usr/osrc mount point
and soft-links for /usr/{ports,src,xenocara} into that mount point.
Same with object directories:
$ ls -l /usr/{obj,ports,src,xenocara,xobj}
lrwxr-xr-x 1 root wheel 9 Jul 4 13:05 /usr/obj -> oobj/obj/
lrwxr-xr-x 1 root wheel 11 Jul 4 13:05 /usr/ports -> osrc/ports/
lrwxr-xr-x 1 root wheel 9 Jul 4 13:04 /usr/src -> osrc/src/
lrwxr-xr-x 1 root wheel 14 Jul 4 13:05 /usr/xenocara -> osrc/xenocara/
lrwxr-xr-x 1 root wheel 10 Jul 4 13:05 /usr/xobj -> oobj/xobj/
The only draw back with this scheme seems to be a daily security
warning about /usr/src being a link and having a different gid.
I suppose, one could have different mount points for each of the five
directories mentioned above, but that could be a bit overkill if the
soft-links accomplish the same goal(s).
--patrick
