From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FAEKy-0000Kw-MO for garchives@archives.gentoo.org; Fri, 17 Feb 2006 22:44:29 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1HMhS5t007582; Fri, 17 Feb 2006 22:43:28 GMT Received: from mach.qrypto.org (connectioncable-084.headoff.net [217.30.222.84] (may be forged)) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1HMb0oG002569 for ; Fri, 17 Feb 2006 22:37:01 GMT Received: (qmail 7252 invoked from network); 17 Feb 2006 22:36:58 -0000 Received: from unknown (HELO ?192.168.0.2?) (gentoo@192.168.0.2) by 192.168.0.1 with ESMTPA; 17 Feb 2006 22:36:58 -0000 Subject: Re: [gentoo-user] How many GB for / partition? From: Rumen Yotov To: gentoo-user@lists.gentoo.org In-Reply-To: <43F641B4.4010700@mid.email-server.info> References: <7ae6f8f0602160419w67142523p296a88b3944ce180@mail.gmail.com> <200602161946.36923.volker.armin.hemmann@tu-clausthal.de> <43F4D541.6000205@mid.email-server.info> <200602162123.26046.volker.armin.hemmann@tu-clausthal.de> <43F56E36.2030109@mid.email-server.info> <43F62970.9030005@ultratux.org> <43F641B4.4010700@mid.email-server.info> Content-Type: multipart/signed; micalg=sha1; protocol="application/x-pkcs7-signature"; boundary="=-fLdxCvLtIzsEpN3xRwCz" Organization: personal Date: Sat, 18 Feb 2006 00:36:53 +0200 Message-Id: <1140215813.1141.14.camel@mach.qrypto.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 X-Archives-Salt: 2e0ab796-3e26-4503-9937-474f0573e27a X-Archives-Hash: 9714edee35159fdd613a8ca741297572 --=-fLdxCvLtIzsEpN3xRwCz Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2006-02-17 at 22:35 +0100, Alexander Skwar wrote: > Maarten wrote: > > Okay, can we stop with the flamefest, already ? >=20 > Certainly. >=20 > > Alexander Skwar wrote: > >> Hemmann, Volker Armin wrote: > >>>On Thursday 16 February 2006 20:40, Alexander Skwar wrote: > >>>>Hemmann, Volker Armin wrote: > >>>>>On Thursday 16 February 2006 17:18, Alexander Skwar wrote: > >>>>>>Hemmann, Volker Armin wrote: > >>>>>>>On Thursday 16 February 2006 15:45, Alexander Skwar wrote: > >=20 > >=20 > >>>>Wrong again. If tmp is the only place somebody can write, then > >>>>it might save you (and it DID save my ass more than once now). > >>> > >>>since /tmp is not the only place where someone can write (/var/tmp any= one?) > >=20 > > Several more indeed. Find comes to the rescue: > >=20 > > 12087 0 drwxrwxrwt 2 root root 40 Jan 10 22:40 /dev/= shm > > 252744 0 drwxrwxrwt 2 root root 72 Apr 20 2005 /var= /spool/samba > >=20 > > Yes, I CAN make files there, as a regular user. >=20 > Yep, but you have to find those places. If you cannot execute > programs, that will be hard. With /tmp, an attacker knows > that he can write there. >=20 > Granted, /dev/shm is also a rather common place that allows > everyone to write to. >=20 > >>>yes really, you have to remount /usr everytime you update something. > >>=20 > >> Jaja. You know, your exaggerations become boring... > >=20 > > Well, no. It is correct. How do you expect to install something when /= usr is mounted RO ? >=20 > Well, you know, his arguments aren't /totally/ wrong. I already > said that they are true, in a sense - but I also said, that he's > exaggerating very much. Quite obviously, there's no way to write > to /usr if it is mounted read only. >=20 > What I disagree with, is that his notion that a "mount -o > remount,rw /usr" is a lot of work. >=20 > I also don't disagree that it IS extra work. I'm just saying > that it's not MUCH extra work. >=20 > Alexander Skwar > --=20 > (German philosopher) Georg Wilhelm Hegel, on his deathbed, complained, > "Only one man ever understood me." He fell silent for a while and then a= dded, > "And he didn't understand me." Hi, Please don't take this post as a signal for more battles. IMHO there are many true facts from both of you. Just a few point, as i have some (limited experience with hardened systems). 1.For 2-3 years using portage-tree in /var/portage, no problems so far, all it takes is a symlink in /usr & change in /etc/make.conf file. So i can mount all /usr as 'noexec'. 2.For a really important system (from security point of view) people could use some of Gentoo's hardened projects (grsec,SELinux,RSBAC). i've used 'grsec & RSBAC'. Logically grsec is less powerful but easier to manage, and RSBAC (as SELinux) is like a combat tank in a battle during middle age wars (concerning security settings). So there are tools quite for everything, if you wish and know how to use them. No system is perfect but some are almost ;) HTH.Rumen --=-fLdxCvLtIzsEpN3xRwCz Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ4DCCBOww ggLUoAMCAQICAwHjjDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wNjAyMDUxMTAwNDlaFw0w NzAyMDUxMTAwNDlaMDsxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEfMB0GCSqGSIb3DQEJARYQ cnVtZW5AcXJ5cHRvLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM12ApV52RJl w6+Fpr5iE3/SeTNOJWuzHySWlu8UPxbyEDMQN3PiiSgxyucG7roLjtR4KYLMl4trrbWLHY75l3Ux oeFrOjEERQ6VX179fN4wrW09mj8rr7wQPcaCwfQUzeU94WdXdVFUwcZBSAEcLBoN1lNLS80rd19F wMkfxEximDRWZ2E+ts8wM9p2TFZQNjOJZ1cHY563Zu5zSG0Fr/P6PYgGmMAytqJbt8mn0ASpmGAp N7c9HMouXOoA5CIgZaQy+l9/ibPWl4399h6+nbiWZvGSmo4Mt4sepjysYcFNBev2EcjzRZvhXkIP TDk0nojCkRjXFoZPeUP4tCmCmw0CAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIB DQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0 dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v Y3NwLmNhY2VydC5vcmcwGwYDVR0RBBQwEoEQcnVtZW5AcXJ5cHRvLm9yZzANBgkqhkiG9w0BAQUF AAOCAgEAINAgGWjujvzp5B5z//iJxYgmU0JDKQEb36H5osJf7DWCrvDp/F8kmhrNWZHxbNXvWcBP Hcz0R5TWjRPGlVMrZw5oSzmERe0MsHItso1EYu7bxkl57cXTIclw5SQxvuF5VtMrqgFR/gWRAik5 U6QL99lJBX8F6i6G8visXvoW2mHcY7x9Zx2pZL5/CVywLI38bJV6he3NKJUtcyuH++kB+iicyUZg TYSeKXXOKFDOzPBffMjQ4s8L4bdD7jMhyULhTIldkXDe8Gnw5AQWbdVdG1Jf9Sh5/a/NmQWce+i3 QOaFATewgS5J8jfQSMYzZP820RGxA6W6txVxcCcMWaU8UiZON+frf5Mlr2XxTcJbqwNMZwNPTMmH MKTwC6l1BqlOjbQlOYcWdOH8Oa+CCcsStPo74JYZBho79al1/y1JCK/Te1spgMt3NjEKGTk/ggfZ wlxfNK7hQeFBKBzyybLmSSeicYezBlYLlUhqvASxletn/IC5idV+ojJGfcKR4iniHNXId0TOs5kJ qvoiQCmN6/NqpTwOYn4YIOTjbffDSJ7BGB05Q7H5pAnzUI2Yovd+5zDxFEznKreY7mx4xgzhWa0b Bk28M18pVnCIJijkpkX/svBCRu69faA9e4JTMLKGJ8CUPTx33VeLG8rYh05nS//HQ2m2CMlBVcZq cnUq6oswggTsMIIC1KADAgECAgMB44wwDQYJKoZIhvcNAQEFBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDYwMjA1 MTEwMDQ5WhcNMDcwMjA1MTEwMDQ5WjA7MRgwFgYDVQQDEw9DQWNlcnQgV29UIFVzZXIxHzAdBgkq hkiG9w0BCQEWEHJ1bWVuQHFyeXB0by5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDNdgKVedkSZcOvhaa+YhN/0nkzTiVrsx8klpbvFD8W8hAzEDdz4okoMcrnBu66C47UeCmCzJeL a621ix2O+Zd1MaHhazoxBEUOlV9e/XzeMK1tPZo/K6+8ED3GgsH0FM3lPeFnV3VRVMHGQUgBHCwa DdZTS0vNK3dfRcDJH8RMYpg0VmdhPrbPMDPadkxWUDYziWdXB2Oet2buc0htBa/z+j2IBpjAMrai W7fJp9AEqZhgKTe3PRzKLlzqAOQiIGWkMvpff4mz1peN/fYevp24lmbxkpqODLeLHqY8rGHBTQXr 9hHI80Wb4V5CD0w5NJ6IwpEY1xaGT3lD+LQpgpsNAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIwADBW BglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMBsGA1UdEQQUMBKBEHJ1bWVuQHFyeXB0by5vcmcwDQYJ KoZIhvcNAQEFBQADggIBACDQIBlo7o786eQec//4icWIJlNCQykBG9+h+aLCX+w1gq7w6fxfJJoa zVmR8WzV71nATx3M9EeU1o0TxpVTK2cOaEs5hEXtDLByLbKNRGLu28ZJee3F0yHJcOUkMb7heVbT K6oBUf4FkQIpOVOkC/fZSQV/BeouhvL4rF76Ftph3GO8fWcdqWS+fwlcsCyN/GyVeoXtzSiVLXMr h/vpAfoonMlGYE2Enil1zihQzszwX3zI0OLPC+G3Q+4zIclC4UyJXZFw3vBp8OQEFm3VXRtSX/Uo ef2vzZkFnHvot0DmhQE3sIEuSfI30EjGM2T/NtERsQOlurcVcXAnDFmlPFImTjfn63+TJa9l8U3C W6sDTGcDT0zJhzCk8AupdQapTo20JTmHFnTh/DmvggnLErT6O+CWGQYaO/Wpdf8tSQiv03tbKYDL dzYxChk5P4IH2cJcXzSu4UHhQSgc8smy5kknonGHswZWC5VIarwEsZXrZ/yAuYnVfqIyRn3CkeIp 4hzVyHdEzrOZCar6IkApjevzaqU8DmJ+GCDk4233w0iewRgdOUOx+aQJ81CNmKL3fucw8RRM5yq3 mO5seMYM4VmtGwZNvDNfKVZwiCYo5KZF/7LwQkbuvX2gPXuCUzCyhifAlD08d91XixvK2IdOZ0v/ x0NptgjJQVXGanJ1KuqLMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UE CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9y aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwHjjDAJBgUrDgMCGgUAoIIB hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAyMTcyMjM2NDda MCMGCSqGSIb3DQEJBDEWBBTGe95c9xpDzasCX6X3ApuxO2DI0TCBkQYJKwYBBAGCNxAEMYGDMIGA MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMB44wwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMB44wwDQYJKoZI hvcNAQEBBQAEggEAPBg0fhZPYC0pl+OWnCwcjAhttZzSq8CXsBGbaiGFRwBn1AfI//gTz+hWYzOu 3GfvArF21mkxAm5rhcr0bvxf98L8/CiWEOUaFBA9UOnMhn2f4LBZ5q+GQ+Fr+MT1D9y+JHfPsa0e zMiUn6iaVv/nS57MmMHAs7j6XJp9cIsy6gGTE+3v43tvqpyH6iynMqfkN4PuauPkQ0U4QKxU/QwL YsgnSd8btum6fQwc+lybGJ/wlDocYa+2RBtl0WoLbbze6e+Sk1D6kBHgKq97WG4sJvtaZSG2sAS3 Eow2uotO2ldUNSV2z/QrlSLyO/kXlST8uZ+rHkIkhtsvB4i7C0cP0wAAAAAAAA== --=-fLdxCvLtIzsEpN3xRwCz-- -- gentoo-user@gentoo.org mailing list