Quoting Benny Amorsen (benny+use...@amorsen.dk): > Richard Zidlicky <r...@linux-m68k.org> writes: > > > Mounting the fs read only is much easier and safer - and has long tradition. > > This is not feasible as a distribution policy. You can't guarantee that > /usr/bin is on its own partition so you can mount it read only. The only > way to achieve it would be creative use of mount --bind, something which > certainly goes against tradition. > > Also, the advantage of the proposed change was that it would not affect > e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the > same result, but not in a way which I consider sane. > > All in all I think it's a shame that the original proposal didn't work > out at this time. Having binaries owned by bin:bin does have Unix (but > not Linux AFAIK) tradition behind it.
And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write. -serge -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
