public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Joshua Kinard <kumba@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: Let's redesign the entire filesystem!
Date: Thu, 15 Mar 2012 08:09:53 -0400	[thread overview]
Message-ID: <4F61DC11.2050705@gentoo.org> (raw)
In-Reply-To: <CALc3eMX9QgVzU9XSjhcm8x64Lj8mNSn02sXKVaeFfjg3Enjs5Q@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2025 bytes --]

On 03/14/2012 18:14, David Leverton wrote:

> On 14 March 2012 21:04, Greg KH <gregkh@gentoo.org> wrote:
>> Haveing a separate /usr is wonderful, and once we finish moving /sbin/
>> and /bin/ into /usr/ it makes even more sense.  See the /usr page at
>> fedora for all of the great reasons why this is good.
> 
> My point was examine, in detail, whether separate-/usr-with-initramfs
> has any disadvantages compared to separate-/usr-without-initramfs.
> Either it has, in which case we have a concrete argument against
> requiring initramfs (albeit possibly one that can be fixed), or it
> hasn't, which should hopefully convince at least some people to accept
> it.


I went with a split filesystem design when I built my first Gentoo install
back in mid 2003 because at the time, both the Gentoo and Debian security
guides referenced it as being an option for a more secure system.

Specifically so that you could apply mount options to each partition.  For
example, on /home, you would usually want to do nodev and nosuid, because
rarely does a user need the ability to create device nodes and SUID
binaries.  On /var, nodev, nosuid, and noexec, with the one exception if you
ran qmail or a few other packages known to stick executables into /var.  For
/usr, the guides suggested just nodev, because you rarely, if ever need to
create device nodes in /usr.  Optionally, you could mount /usr ro and only
make it rw if updating packages.

You won't find A separate /usr mentioned specifically anymore in either
security guide, but I'm sure if you dig on the Wayback Machine (once it
comes back online), you can probably find these references.  Search from
2003 to 2007.  I'm not certain when they were removed.

-- 
Joshua Kinard
Gentoo/MIPS
kumba@gentoo.org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 834 bytes --]

  parent reply	other threads:[~2012-03-15 12:11 UTC|newest]

Thread overview: 165+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-11  2:27 [gentoo-dev] newsitem: unmasking udev-181 William Hubbs
2012-03-11  2:53 ` [gentoo-dev] " Rich Freeman
2012-03-11  3:28   ` Luca Barbato
2012-03-11  3:50     ` Rich Freeman
2012-03-11  5:12       ` Luca Barbato
2012-03-11 17:33     ` William Hubbs
2012-03-11 17:35       ` Samuli Suominen
2012-03-11 18:00         ` Michał Górny
2012-03-13  1:22       ` [gentoo-dev] Let's redesign the entire filesystem! [was newsitem: unmasking udev-181] Joshua Kinard
2012-03-13  1:37         ` Kent Fredric
2012-03-13  2:16           ` Joshua Kinard
2012-03-13  2:33         ` Ian Stakenvicius
2012-03-13  3:14           ` Joshua Kinard
2012-03-13  3:53             ` Robin H. Johnson
2012-03-13  5:17               ` Luca Barbato
2012-03-14  0:20                 ` Joshua Kinard
2012-03-14  0:52                   ` Rich Freeman
2012-03-13 13:36             ` Ian Stakenvicius
2012-03-13 10:31         ` Jeroen Roovers
2012-03-13 11:54         ` James Broadhead
2012-03-14  0:16           ` Joshua Kinard
2012-03-14  8:39             ` [gentoo-dev] " Duncan
2012-03-14 12:40               ` [gentoo-dev] Re: Let's redesign the entire filesystem! Joshua Kinard
2012-03-14 14:41                 ` Greg KH
2012-03-14 14:51                   ` Philip Webb
2012-03-14 15:04                     ` Greg KH
2012-03-14 15:08                       ` Ciaran McCreesh
2012-03-14 15:22                         ` Greg KH
2012-03-14 15:59                           ` Ciaran McCreesh
2012-03-14 21:00                             ` Greg KH
2012-03-14 16:28                           ` Matthew Summers
2012-03-15 13:22                             ` Joshua Kinard
2012-03-14 17:11                           ` Maxim Kammerer
2012-03-14 17:29                             ` Zac Medico
2012-03-14 17:58                               ` Matthew Summers
2012-03-14 18:04                                 ` Ciaran McCreesh
2012-03-14 18:36                                 ` Maxim Kammerer
2012-03-14 18:56                                   ` Zac Medico
2012-03-14 19:14                                     ` Michael Orlitzky
2012-03-14 19:26                                       ` Zac Medico
2012-03-14 19:57                                     ` David Leverton
2012-03-14 21:04                                       ` Greg KH
2012-03-14 22:14                                         ` David Leverton
2012-03-14 22:51                                           ` Greg KH
2012-03-14 23:21                                             ` David Leverton
2012-03-14 23:44                                               ` Greg KH
2012-03-14 23:58                                                 ` Richard Yao
2012-03-15  0:07                                                   ` Greg KH
2012-03-15  0:29                                                 ` David Leverton
2012-03-15 11:20                                                   ` Stelian Ionescu
2012-03-15 12:23                                                     ` Joshua Kinard
2012-03-15 14:01                                                 ` Joshua Kinard
2012-03-14 23:47                                               ` Zac Medico
2012-03-15  0:36                                                 ` David Leverton
2012-03-15  0:45                                                   ` Zac Medico
2012-03-15  0:49                                                     ` David Leverton
2012-03-15 12:27                                                     ` Joshua Kinard
2012-03-15 15:29                                                       ` Zac Medico
2012-03-15  0:58                                                   ` Richard Yao
2012-03-15  1:06                                                     ` Zac Medico
2012-03-15  1:49                                                       ` Richard Yao
2012-03-16 23:29                                                         ` Zac Medico
2012-03-16 23:29                                                         ` Zac Medico
2012-03-15 12:16                                             ` Joshua Kinard
2012-03-15 12:09                                           ` Joshua Kinard [this message]
2012-03-14 22:39                                         ` Richard Yao
2012-03-14 22:49                                           ` Greg KH
2012-03-14 23:27                                             ` Richard Yao
2012-03-14 23:37                                               ` Greg KH
2012-03-14 23:51                                                 ` Richard Yao
2012-03-15  1:07                                                   ` Rich Freeman
2012-03-15  1:37                                                     ` Zac Medico
2012-03-15  1:44                                                     ` Richard Yao
2012-03-16  1:17                                                     ` Canek Peláez Valdés
2012-03-16  1:18                                                       ` Canek Peláez Valdés
2012-03-15  5:18                                                 ` Luca Barbato
2012-03-15  8:13                                                 ` Martin Gysel
2012-03-15 12:40                                                 ` Joshua Kinard
2012-03-15 20:44                                                   ` Richard Yao
2012-03-17  7:12                                                     ` Walter Dnes
2012-03-19  5:21                                                       ` Walter Dnes
2012-03-15 12:34                                               ` Joshua Kinard
2012-03-15 20:45                                                 ` Richard Yao
2012-03-15 21:49                                                   ` Maxim Kammerer
2012-03-14 20:03                                     ` Richard Yao
2012-03-14 20:55                                       ` Zac Medico
2012-03-14 21:05                                         ` Richard Yao
2012-03-15  4:10                                           ` Zac Medico
2012-03-15 12:47                                         ` Joshua Kinard
2012-03-15 13:36                                     ` Joshua Kinard
2012-03-14 19:30                                 ` Jeroen Roovers
2012-03-15  5:04                                 ` Luca Barbato
2012-03-14 17:59                               ` Rich Freeman
2012-03-15  5:24                                 ` Luca Barbato
2012-03-15 12:51                                 ` Joshua Kinard
2012-03-14 20:12                       ` Walter Dnes
2012-03-15 11:04                       ` Joshua Kinard
2012-03-15 12:30                         ` Rich Freeman
2012-03-15 13:05                           ` Joshua Kinard
2012-03-15 14:42                           ` Greg KH
2012-03-15 19:04                             ` Rich Freeman
2012-03-15 19:17                               ` [gentoo-dev] /dev/serial/ (was "Let's redesign the entire filesystem!") Greg KH
2012-03-15 19:41                                 ` Rich Freeman
2012-03-15 14:41                         ` [gentoo-dev] Re: Let's redesign the entire filesystem! Greg KH
2012-03-16  0:47                           ` Joshua Kinard
2012-03-16  2:43                             ` Greg KH
2012-03-16  3:01                               ` Richard Yao
2012-03-16 15:18                                 ` Greg KH
2012-03-16 17:00                                   ` Michael Orlitzky
     [not found]                                 ` <7c08803524244ff0808d16539b8f9926@HUBCAS2.cs.stonybrook.edu>
2012-03-16 22:41                                   ` Richard Yao
2012-03-13 14:41         ` [gentoo-dev] Let's redesign the entire filesystem! [was newsitem: unmasking udev-181] Marc Schiffbauer
2012-03-13 23:12           ` James Broadhead
2012-03-14 12:00           ` James Cloos
2012-03-14 17:52             ` Zac Medico
2012-03-14 18:48               ` [gentoo-dev] " Duncan
2012-03-14 20:10                 ` Kent Fredric
2012-03-15  6:33                   ` Duncan
2012-03-15 13:07                   ` Joshua Kinard
2012-03-13  5:11       ` [gentoo-dev] Re: newsitem: unmasking udev-181 Luca Barbato
2012-03-14  0:13         ` Joshua Kinard
2012-03-14  8:03           ` Duncan
2012-03-14 12:07             ` Joshua Kinard
2012-03-14 18:43               ` Duncan
2012-03-14 21:13               ` Walter Dnes
2012-03-15 13:10                 ` Joshua Kinard
2012-03-15 21:49                   ` Robin H. Johnson
2012-03-11  3:44   ` Dale
2012-03-11  5:48   ` Duncan
2012-03-11 11:03   ` Petteri Räty
2012-03-11 15:33     ` Zac Medico
2012-03-11 21:28       ` Petteri Räty
2012-03-11 21:43         ` William Hubbs
2012-03-11 21:48           ` Petteri Räty
2012-03-11 23:15             ` William Hubbs
2012-03-12 12:37               ` Rich Freeman
2012-03-12 17:01                 ` Matthias Hanft
2012-03-12 19:32                   ` Robin H. Johnson
2012-03-13 14:34               ` Petteri Räty
2012-03-11 22:57   ` Robin H. Johnson
2012-03-13  8:43   ` Walter Dnes
2012-03-13  9:14     ` Canek Peláez Valdés
2012-03-14  0:29       ` Joshua Kinard
2012-03-14  0:36         ` Stelian Ionescu
2012-03-14  1:04         ` Maxim Kammerer
2012-03-14  1:14         ` Robin H. Johnson
2012-03-14 13:02         ` Rich Freeman
2012-03-13 10:32     ` Robin H. Johnson
2012-03-11  6:49 ` Ryan Hill
2012-03-11 21:08   ` Robin H. Johnson
2012-03-11 23:03     ` Duncan
2012-03-11 23:14       ` Robin H. Johnson
2012-03-12  9:02         ` Duncan
2012-03-12 14:09     ` Marc Schiffbauer
2012-03-12 19:41       ` Robin H. Johnson
2012-03-13  2:06     ` Ryan Hill
2012-03-12 18:34   ` Sven Vermeulen
2012-03-13  2:04     ` Ryan Hill
2012-03-11  8:06 ` [gentoo-dev] " Neil Bothwick
2012-03-11  8:41   ` Michał Górny
2012-03-11  9:36     ` Neil Bothwick
2012-03-11 10:43       ` Michał Górny
2012-03-11 17:26 ` William Hubbs
2012-03-11 18:08   ` Ulrich Mueller
2012-03-11 23:09   ` [gentoo-dev] " Duncan
2012-03-12 20:50   ` [gentoo-dev] " Robin H. Johnson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F61DC11.2050705@gentoo.org \
    --to=kumba@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox