On Fri, Oct 17, 2003 at 09:05:04AM -0700, Christian G. Warden wrote: > we have the same problem with english. > > $ dict security > 2 definitions found > > >From Webster's Revised Unabridged Dictionary (1913) [web1913]: > > Security \Se*cu"ri*ty\, n.; pl. {Securities}. [L. securitas: cf. > F. s['e]curit['e]. See {Secure}, and cf. {Surety}.] > [...] > (c) Freedom from risk; safety. > [...]
Ok, how about wrapping this thread up sometime soon. The semantics and philosophical issues can be discussed in much greater depth than they have been so far, but preferably not on deb-sec. Here are some observations: Making /usr read-only is not likely going to be an option in debian-installer any time soon. The question is whether to mention the possibility of doing it in any documentation. It's not much of a defense against a cracker, and only useful against an automated attack that doesn't check for it, in terms of security, so the Debian security manual isn't an obvious place for it. It's the sort of thing that could get mentioned as a possibly-useful-for-some-systems kind of thing in with other sysadmin tips and tricks. Any docs that do mention it should include info on how to tell apt to mount it read-write before running dpkg, and read-only again after: DPkg { // Auto re-mounting of a readonly /usr Pre-Invoke {"mount -o remount,rw /usr";}; Post-Invoke {"mount -o remount,ro /usr";}; } from: http://lists.debian.org/debian-devel/2001/debian-devel-200111/msg00212.html (note the caveat that dpkg could sometimes leave running processes with file descriptors open on deleted files, preventing /usr from being remount ro again.) So, as I see it, mounting /usr read-only is of minor benefit, and is only even possible for people who have /usr on a filesystem by itself, or with other read-only stuff. It's worth a mention somewhere, but shouldn't be promoted as a best-practice or something that all good admins do. If a particular system would really benefit from it, the admin probably just needs to see the idea mentioned, not see a big list of effects on systems in general. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , des.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
signature.asc
Description: Digital signature