From: Rumen Yotov <rumen@qrypto.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] How many GB for / partition?
Date: Sat, 18 Feb 2006 00:36:53 +0200 [thread overview]
Message-ID: <1140215813.1141.14.camel@mach.qrypto.org> (raw)
In-Reply-To: <43F641B4.4010700@mid.email-server.info>
[-- Attachment #1: Type: text/plain, Size: 3035 bytes --]
On Fri, 2006-02-17 at 22:35 +0100, Alexander Skwar wrote:
> Maarten wrote:
> > Okay, can we stop with the flamefest, already ?
>
> Certainly.
>
> > Alexander Skwar wrote:
> >> Hemmann, Volker Armin wrote:
> >>>On Thursday 16 February 2006 20:40, Alexander Skwar wrote:
> >>>>Hemmann, Volker Armin wrote:
> >>>>>On Thursday 16 February 2006 17:18, Alexander Skwar wrote:
> >>>>>>Hemmann, Volker Armin wrote:
> >>>>>>>On Thursday 16 February 2006 15:45, Alexander Skwar wrote:
> >
> >
> >>>>Wrong again. If tmp is the only place somebody can write, then
> >>>>it might save you (and it DID save my ass more than once now).
> >>>
> >>>since /tmp is not the only place where someone can write (/var/tmp anyone?)
> >
> > Several more indeed. Find comes to the rescue:
> >
> > 12087 0 drwxrwxrwt 2 root root 40 Jan 10 22:40 /dev/shm
> > 252744 0 drwxrwxrwt 2 root root 72 Apr 20 2005 /var/spool/samba
> >
> > Yes, I CAN make files there, as a regular user.
>
> Yep, but you have to find those places. If you cannot execute
> programs, that will be hard. With /tmp, an attacker knows
> that he can write there.
>
> Granted, /dev/shm is also a rather common place that allows
> everyone to write to.
>
> >>>yes really, you have to remount /usr everytime you update something.
> >>
> >> Jaja. You know, your exaggerations become boring...
> >
> > Well, no. It is correct. How do you expect to install something when /usr is mounted RO ?
>
> Well, you know, his arguments aren't /totally/ wrong. I already
> said that they are true, in a sense - but I also said, that he's
> exaggerating very much. Quite obviously, there's no way to write
> to /usr if it is mounted read only.
>
> What I disagree with, is that his notion that a "mount -o
> remount,rw /usr" is a lot of work.
>
> I also don't disagree that it IS extra work. I'm just saying
> that it's not MUCH extra work.
>
> Alexander Skwar
> --
> (German philosopher) Georg Wilhelm Hegel, on his deathbed, complained,
> "Only one man ever understood me." He fell silent for a while and then added,
> "And he didn't understand me."
Hi,
Please don't take this post as a signal for more battles.
IMHO there are many true facts from both of you.
Just a few point, as i have some (limited experience with hardened
systems).
1.For 2-3 years using portage-tree in /var/portage, no problems so far,
all it takes is a symlink in /usr & change in /etc/make.conf file.
So i can mount all /usr as 'noexec'.
2.For a really important system (from security point of view) people
could use some of Gentoo's hardened projects (grsec,SELinux,RSBAC).
i've used 'grsec & RSBAC'. Logically grsec is less powerful but easier
to manage, and RSBAC (as SELinux) is like a combat tank in a battle
during middle age wars (concerning security settings).
So there are tools quite for everything, if you wish and know how to use
them. No system is perfect but some are almost ;)
HTH.Rumen
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3409 bytes --]
next prev parent reply other threads:[~2006-02-17 22:44 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-16 12:19 [gentoo-user] How many GB for / partition? Izar Ilun
2006-02-16 12:34 ` Daniel da Veiga
2006-02-16 12:42 ` Neil Bothwick
[not found] ` <7ae6f8f0602160450i3d0b3973x437e82ff45c8606e@mail.gmail.com>
2006-02-16 12:51 ` Izar Ilun
2006-02-16 13:06 ` Alexander Skwar
2006-02-16 13:47 ` Neil Bothwick
2006-02-16 14:39 ` Alexander Skwar
2006-02-16 16:17 ` Neil Bothwick
2006-02-16 17:46 ` Alexander Skwar
2006-02-16 18:00 ` kashani
2006-02-16 20:11 ` Neil Bothwick
2006-02-16 20:24 ` Hemmann, Volker Armin
2006-02-17 7:52 ` Alexander Skwar
2006-02-17 9:41 ` Neil Bothwick
2006-02-17 1:59 ` Zac Slade
2006-02-17 9:38 ` Neil Bothwick
2006-02-16 14:19 ` Hemmann, Volker Armin
2006-02-16 14:45 ` Alexander Skwar
2006-02-16 15:34 ` Hemmann, Volker Armin
2006-02-16 16:18 ` Alexander Skwar
2006-02-16 18:46 ` Hemmann, Volker Armin
2006-02-16 19:40 ` Alexander Skwar
2006-02-16 20:12 ` Neil Bothwick
2006-02-16 21:07 ` Richard Fish
2006-02-16 23:37 ` Neil Bothwick
2006-02-17 6:02 ` Alexander Skwar
2006-02-17 7:14 ` Uwe Thiem
2006-02-16 20:23 ` Hemmann, Volker Armin
2006-02-17 6:33 ` Alexander Skwar
2006-02-17 18:04 ` Hemmann, Volker Armin
2006-02-17 18:19 ` Richard Fish
2006-02-17 18:38 ` Alexander Skwar
2006-02-17 19:18 ` Benno Schulenberg
2006-02-17 19:41 ` Daniel da Veiga
2006-02-17 22:15 ` Hemmann, Volker Armin
2006-02-17 18:35 ` Alexander Skwar
2006-02-17 22:15 ` Patrick Börjesson
2006-02-17 23:48 ` Hemmann, Volker Armin
2006-02-17 19:52 ` Maarten
2006-02-17 21:35 ` Alexander Skwar
2006-02-17 22:36 ` Rumen Yotov [this message]
2006-02-17 23:15 ` [gentoo-user] /usr as noexec? (was GB for / partition flamewar) Eric Bliss
2006-02-18 0:23 ` Maarten
2006-02-18 2:20 ` Ryan Tandy
2006-02-18 13:05 ` Maarten
2006-02-18 15:53 ` Uwe Thiem
2006-02-18 17:51 ` Maarten
2006-02-18 20:09 ` Hans-Werner Hilse
2006-02-19 19:50 ` kashani
2006-02-19 20:27 ` Alexander Skwar
2006-02-19 21:08 ` kashani
2006-02-19 21:18 ` Alexander Skwar
2006-02-19 21:37 ` kashani
2006-02-18 5:21 ` Rumen Yotov
2006-02-18 9:01 ` Neil Bothwick
2006-02-17 22:56 ` [gentoo-user] How many GB for / partition? Neil Bothwick
2006-02-16 14:58 ` jarry
2006-02-16 15:14 ` Robert Crawford
2006-02-16 15:36 ` Hemmann, Volker Armin
2006-02-16 14:47 ` jarry
2006-02-16 13:03 ` Alexander Skwar
2006-02-16 14:14 ` apn
2006-02-16 14:51 ` Alexander Skwar
2006-02-16 15:04 ` Martin Eisenhardt
2006-02-16 15:15 ` John Jolet
2006-02-16 15:29 ` Martin Eisenhardt
2006-02-16 15:10 ` jarry
2006-02-16 15:30 ` Alexander Skwar
2006-02-16 16:09 ` Martin Eisenhardt
2006-02-16 16:21 ` Alexander Skwar
2006-02-16 20:58 ` Martin Eisenhardt
2006-02-16 15:33 ` Martin Eisenhardt
2006-02-16 17:46 ` Jarry
2006-02-16 18:13 ` Alexander Skwar
2006-02-16 15:50 ` Richard Fish
2006-02-16 13:29 ` Emanuele Morozzi
2006-02-16 14:22 ` Hemmann, Volker Armin
2006-02-16 15:02 ` Richard Fish
2006-02-16 15:48 ` Hemmann, Volker Armin
2006-02-16 18:40 ` Richard Fish
2006-02-16 15:33 ` Alexander Skwar
-- strict thread matches above, loose matches on Subject: below --
2006-02-17 22:20 John Jolet
2006-02-23 11:07 joaoemanuel1981
2006-02-23 12:04 ` jarry
2006-02-23 13:55 ` Uwe Thiem
2006-02-23 14:05 ` John Jolet
2006-02-23 14:30 ` Dave Nebinger
2006-02-23 16:03 ` Richard Fish
2006-02-23 16:12 ` Dave Nebinger
2006-02-23 18:07 ` Alexander Skwar
2006-02-23 19:38 ` Uwe Thiem
2006-02-23 14:45 ` Abhay Kedia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1140215813.1141.14.camel@mach.qrypto.org \
--to=rumen@qrypto.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox