Because I dislike splitting disks into numerous partitions, each of whose sizes is a future show-stopper when they prove too small, I generally split disks into just root + swap. Thus, I find on our currently 7 versions of OpenBSD 6.x in our test farm reports like this:
# mount /dev/wd0a on / type ffs (local, wxallowed) The output of "man mount" says wxallowed Processes that ask for memory to be made writeable plus executable using the mmap(2) and mprotect(2) system calls are killed by default. This option allows those processes to continue operation. It is typically used on the /usr/local filesystem. OpenBSD 3.3 introduced the W^X feature in 2004, and some other O/Ses have implemented it as well since then. Has anyone looked into the problem of enumerating packages that are installed in the /usr/local tree that actually NEED simultaneous write and execute access? If only a small number of packages need W^X capability, would it make sense to create a separate file tree for them, and let every other part of the filesystem enjoy W^X protection, along with additional security from addition of pledge() and veil() promises into software packages? ------------------------------------------------------------------------------- - Nelson H. F. Beebe Tel: +1 801 581 5254 - - University of Utah FAX: +1 801 581 4148 - - Department of Mathematics, 110 LCB Internet e-mail: be...@math.utah.edu - - 155 S 1400 E RM 233 be...@acm.org be...@computer.org - - Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ - -------------------------------------------------------------------------------