Le 05/01/2022 à 23:12, Hendrik Boom a écrit :
On Wed, Jan 05, 2022 at 09:54:20PM +0100, Didier Kryn wrote:
Le 05/01/2022 à 16:11, Hendrik Boom a écrit :
On Wed, Jan 05, 2022 at 12:08:18AM +0100, Didier Kryn wrote:
Le 04/01/2022 à 23:38, Hendrik Boom a écrit :
On Tue, Jan 04, 2022 at 05:09:58PM +0100, Didier Kryn wrote:
There is no utility in splitting the OS in several partitions.
Might it make sense to have /usr mounted readonly except when upgradng
or installing paackages?
What could you fear which makes you want to keep /usr readonly.
software that isn't properly packaged as a .deb, but instead has an
"installer" that needs to be run as root.
If the installer must be run as root, it is precisely because it
needs
to install software in /usr. You have an alternative: either mount /usr
readwrite and install it, or keep /usr readonly and not install it.
Keeping
/usr readonly and trying to install the software has no chance to work.
Such software should be installing to /opt, but might not.
Installing application and configuration files in /opt is a
possibility, but what to do with man page, application launcher, entry
in the application menu? Installing in /opt does not require to mount
/usr readonly. Just create a particular user account for /opt and use it
to install. Even one user and one subdir per application.
I have written such a software, called hopman. This discussion
suggests
me that I should provide the option to install it in a user's directory,
without the need to be root, rather than install it system-wide.
software that is properly packaged, but has components that run as root
but do stuff with /usr outside my expectations.
Do you mean a package from a Debian repository which would install a
trojan horse in /usr?
Packages from other sources that are built for Debian but aren't part
of Debian.
For these ones my personal attitude is binary: either I trust them
or I don't, not half. Anyway, is there a difference wether the Trojan
horse is in /usr or /opt ? Which matters is rather the permissions it
has, then at first glance, creating an account per application seems a
good practice.
-- Didier
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
