>What I"m saying is that it takes less work overall to subtract from a >system in a supportable way than it is to try and handcraft an >unsupportable system.
If you know the supportable system well and your goal is only a slight variation of that that system does, then that makes perfect sense. If, on the other hand, you are new to the system, and you notice many examples of problems caused by what appears to be the basic underpinnings of the system (things like multiuser and TCP, itself, not to mention the open, welcoming nature of open source), the kinds of things hard to avoid in a modern OS, then your argument is less convincing. If what I've said sounds absurd or unsound, a calm reaction might be, "try building you own OS!" And I have tried, and it is not trivial. So I look for answers outside of that and of course OpenBSD is the smallest, strongest, most popular alternative (for people who seek a secure platform). And I ask simple (sometimes *too* simple!) questions, and get answers and move slowly forward. What I am trying to do (thank you Troy Martin), is work through the standard answers and missteps toward a more secure OS, starting with OpenBSD and a flashlight. It is my humble opinion that the optimal number of users for (say) a laptop is one. And the optimal number for a server is zero. I doubt many would agree with that assessment, but I'm looking for solutions, regardless. And yes I do respect the decades and megahours that have gone into Unix and OpenBSD, by people who are far superior to me intellectually. My flashlight is weak, but it still works. Thanks to all (Rodrigo, esp.) for helping me to see straighter. -Jim On Fri, May 10, 2019 at 11:52 AM Misc User <open...@leviathanresearch.net> wrote: > On 5/10/2019 1:28 AM, cho...@jtan.com wrote: > > Misc User writes: > >> It is theoretically possible to do that, but you'd have to do -a lot- > >> of work to get it to do so. It'd be much easier finding a proper > >> way to accomplish what you want without running single-user. > > > > I wouldn't recommend using single user mode to do anything other than > > repair but it's not true to say that doing so is a lot of work. /etc/rc > > is only ~600 lines and a lot of that is unnecessary if the server is > > going to run a single thing. In many cases you can probably get away > > with just mount/fsck/pfctl/netstart. > > > > There is actually no such thing as "single user mode". All there is is a > > kernel which hasn't done anything yet, and everything OpenBSD's does as > > it "enters multi-user mode" is described clearly and comprehensively in > > /etc/rc. Duplicating what little of it you want is, literally, as simple > > as copy-paste. > > > > Matthew > > > What I'm saying is that it would take far more work to get something > like httpd to run at that stage than it would take to make the changes > to a fully booted, and supportable, system. Making changes to rc is > going to force the system's operator to make adjustments at every > system upgrade. > > Besides, it is possible to build a very light-weight system to run a > single thing while still be secure and supportable. I have a VM > template (Wel, a sitexx.tgz file) that just contains an rc.conf.local, > a new crontab, a syslogd.conf, and a few trivial scripts. The system > weighs in at 8 MB of used RAM in normal operation and a load average of > zero. It is also trivial to upgrade, has all its protections, and I can > remotely monitor it. Took me two hours to build it, most of that spent > modifying copies of daily/weekly/monthly to output via syslog instead of > mail. > > > What I"m saying is that it takes less work overall to subtract from a > system in a supportable way than it is to try and handcraft an > unsupportable system. >
