1 |
Michał Górny schrieb: |
2 |
>> If you have / encrypted, then you can leave /usr unencrypted as it |
3 |
>> contains no secrets. |
4 |
> |
5 |
> That's doing things upside-down. You should encrypt the data needing |
6 |
> encryption, not the other way. This usually means /home which is |
7 |
> separate more often than /usr. |
8 |
|
9 |
That is precisely what is done here. On a typical system I assume that |
10 |
secrets can be in /etc, /home and /var. Encrypting /usr might not give |
11 |
you a security gain and just consume resources. |
12 |
|
13 |
>> Also /usr can remain mounted read-only most of the time, so there is |
14 |
>> a reduced chance of accidental corruption. I don't know the number of |
15 |
>> users who might want this, and I imagine it is difficult to count |
16 |
>> them. |
17 |
> |
18 |
> Is this actually possible now? Last time I tried doing things like this |
19 |
> X11 failed to set keyboard mappings trying to store compiled ones |
20 |
> in /usr. |
21 |
|
22 |
I have not seen any machine running X have read-only /usr yet. Maybe it |
23 |
is something that could be investigated. If I have time, I'll experiment |
24 |
what happens when I do a read-only bind-mount of /usr on itself. |
25 |
|
26 |
>> If you say that /usr must be on the same filesystem as /, then there |
27 |
>> is no real reason to not just make a symlink /usr -> . |
28 |
> |
29 |
> That's a joke, right? |
30 |
|
31 |
There are folks who seriously take this into consideration. I don't |
32 |
necessarily agree with them, though. |
33 |
|
34 |
|
35 |
Best regards, |
36 |
Chí-Thanh Christopher Nguyễn |