From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S89WT-0004X9-Bj for garchives@archives.gentoo.org; Thu, 15 Mar 2012 12:11:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 83C44E0BDA; Thu, 15 Mar 2012 12:11:01 +0000 (UTC) Received: from qmta14.westchester.pa.mail.comcast.net (qmta14.westchester.pa.mail.comcast.net [76.96.59.212]) by pigeon.gentoo.org (Postfix) with ESMTP id 2539FE0956 for ; Thu, 15 Mar 2012 12:10:20 +0000 (UTC) Received: from omta01.westchester.pa.mail.comcast.net ([76.96.62.11]) by qmta14.westchester.pa.mail.comcast.net with comcast id lo6Y1i0010EZKEL5EoALtL; Thu, 15 Mar 2012 12:10:20 +0000 Received: from [192.168.1.13] ([76.106.69.86]) by omta01.westchester.pa.mail.comcast.net with comcast id loAL1i0091rgsis3MoAL3P; Thu, 15 Mar 2012 12:10:20 +0000 Message-ID: <4F61DC11.2050705@gentoo.org> Date: Thu, 15 Mar 2012 08:09:53 -0400 From: Joshua Kinard User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:10.0) Gecko/20120129 Thunderbird/10.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Let's redesign the entire filesystem! References: <20120314145144.GC3200@ca.inter.net> <20120314150431.GA2033@kroah.com> <20120314150827.53dc8336@googlemail.com> <20120314152209.GA2157@kroah.com> <4F60D585.4050206@gentoo.org> <4F60E9C1.7050600@gentoo.org> <20120314210456.GB11179@kroah.com> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4743996295858E950B3C5C92" X-Archives-Salt: be55fd7f-5155-4c45-a9fb-79cd232f1047 X-Archives-Hash: a70bd2e5de9a4c32c108569b44b80711 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4743996295858E950B3C5C92 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/14/2012 18:14, David Leverton wrote: > On 14 March 2012 21:04, Greg KH wrote: >> Haveing a separate /usr is wonderful, and once we finish moving /sbin/= >> and /bin/ into /usr/ it makes even more sense. See the /usr page at >> fedora for all of the great reasons why this is good. >=20 > My point was examine, in detail, whether separate-/usr-with-initramfs > has any disadvantages compared to separate-/usr-without-initramfs. > Either it has, in which case we have a concrete argument against > requiring initramfs (albeit possibly one that can be fixed), or it > hasn't, which should hopefully convince at least some people to accept > it. I went with a split filesystem design when I built my first Gentoo instal= l back in mid 2003 because at the time, both the Gentoo and Debian security= guides referenced it as being an option for a more secure system. Specifically so that you could apply mount options to each partition. Fo= r example, on /home, you would usually want to do nodev and nosuid, because= rarely does a user need the ability to create device nodes and SUID binaries. On /var, nodev, nosuid, and noexec, with the one exception if = you ran qmail or a few other packages known to stick executables into /var. = For /usr, the guides suggested just nodev, because you rarely, if ever need t= o create device nodes in /usr. Optionally, you could mount /usr ro and onl= y make it rw if updating packages. You won't find A separate /usr mentioned specifically anymore in either security guide, but I'm sure if you dig on the Wayback Machine (once it comes back online), you can probably find these references. Search from 2003 to 2007. I'm not certain when they were removed. --=20 Joshua Kinard Gentoo/MIPS kumba@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. A= nd our lives slip away, moment by moment, lost in that vast, terrible in-bet= ween." --Emperor Turhan, Centauri Republic --------------enig4743996295858E950B3C5C92 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQIcBAEBAgAGBQJPYdwbAAoJENsjoH7SXZXjq5wP/1WmbWuOjV1JDrut1QzRwOMu /i0KlXq2z4HeqSlW/o9abiDD4aC75enmyGc+d2yqNRqUwMbCaOdDU+IiEUpSZqWk 6gyhXRqY+LRfEHkRe9go8F/+nkCujCyqDUeAyNJUfrpDF2iFqlNgmx6KhjyAwsop 2MX7e9NTQrS+1Bpa0J5YuWrOAZ7DQouDS7xqwjChd6JRkvWeqa7FZr4oNTQa2xqw Cura08DWAukP6JG/4HsK7B6+PkwjaCImIWK18N4pYGkhZG3GJrOiyOf+t5gNg07B AXnJhgmmY874JrjR018uErhx5gbms5dpG2Ofzye9Qe+eHUY1pxDiINRlpcrFaAg4 PYs1lZXYF+R7CINEExZ4fX3CodNVUvBLeHxrXlKu/vnK5JQIwp/xO+T4oCbpJfFw 5OctwahRK2zdKwwAXhUo7iDA5tdZsQ7oAionNq4Mkmqx4KHWDWOmqWtUUz2klkwX 4LXn46to08BwhF9H4f0Z73EndMlqpJD7fDIX09fFHRAQYTK0kCRwOZiL4OYc+Oi6 Yp++jekVrUXxUeRICbTPF0dpZ0KcjhKwvFCivnCUFVzI5o1LAKFwoQ7awKZQmGNm twPREGH+tJG2VahLV9JTGnJr3mCkPgp46V5TSbTbZLQBcSfEnzZ7sPTLwEpkF4pI XZMyUtiz8NtA/VScqx6P =Q4GB -----END PGP SIGNATURE----- --------------enig4743996295858E950B3C5C92--