On Tue, 8 Jul 1997 [EMAIL PROTECTED] wrote:
> > * All filesystems are read-only. > Even /home? How are these people going to create any data if all filesystems > are read-only. Certainly, they have to have write access to some portion of > the system. Yes? If they do have write access anywhere on the system then > they can create executables. /var is read-write, but noexec. > > * (Re)mounting is disabled. > > * immutable-append-only are enforced by the kernel (i.e. you can't chmod > > them away). > Does this mean that you have to boot to a different kernel to do software > upgrades? yes. > > * /var is _not_ read-only, but noexec, nodev. > > * all directories in /var are immutable - log-files are append-only. > How are you going to rotate your log files? They are going to get pretty > large. Are you going to take the system down to some maintenance run-level > every day or so in order to do your house-keeping? kernel-support. > > * No compiler, no advanced scripting languages available, no debugger, no > > dynamically linked executables. > When you say "no advanced scripting languages" are you including bash, tcsh > and zsh? no > Shared libraries are a good thing. The system is going to require much more > memory to run if all executables are statically linked. And then when a new > library is made available, you're going to have to recompile all of your > executables. This doesn't sound desirable to me. You're absolutely right, better use a stripped down dynamic linker. My point was that you shouldn't be able to use a LD_PRELOAD-type of attack to get something to execute out of /var. > Which Linux distribution do you currently base your system on? none. > OK, but that still leaves "sh myprog.sh". yes. > The base Debian doesn't have "a dozen languages" on it. I thought we were > talking about needing Perl on a base Debian system? Perl is one language. > Java support is truly optional. yes we're only talking about perl. > By "specialized" distributions, do you mean like the Linux Router Project > and other embedded systems? It seems to me that one could install the base > system and then remove the few packages that are not desired. Once that's > done, you've got the "specialized" distribution. yes? Yes. But dpkg depends on perl for its backends so you'll be crippled. An important advantage debian has over other distributions is the package-system. astor -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
