| 1 |
Michał Górny schrieb: |
| 2 |
>> If you have / encrypted, then you can leave /usr unencrypted as it |
| 3 |
>> contains no secrets. |
| 4 |
> |
| 5 |
> That's doing things upside-down. You should encrypt the data needing |
| 6 |
> encryption, not the other way. This usually means /home which is |
| 7 |
> separate more often than /usr. |
| 8 |
|
| 9 |
That is precisely what is done here. On a typical system I assume that |
| 10 |
secrets can be in /etc, /home and /var. Encrypting /usr might not give |
| 11 |
you a security gain and just consume resources. |
| 12 |
|
| 13 |
>> Also /usr can remain mounted read-only most of the time, so there is |
| 14 |
>> a reduced chance of accidental corruption. I don't know the number of |
| 15 |
>> users who might want this, and I imagine it is difficult to count |
| 16 |
>> them. |
| 17 |
> |
| 18 |
> Is this actually possible now? Last time I tried doing things like this |
| 19 |
> X11 failed to set keyboard mappings trying to store compiled ones |
| 20 |
> in /usr. |
| 21 |
|
| 22 |
I have not seen any machine running X have read-only /usr yet. Maybe it |
| 23 |
is something that could be investigated. If I have time, I'll experiment |
| 24 |
what happens when I do a read-only bind-mount of /usr on itself. |
| 25 |
|
| 26 |
>> If you say that /usr must be on the same filesystem as /, then there |
| 27 |
>> is no real reason to not just make a symlink /usr -> . |
| 28 |
> |
| 29 |
> That's a joke, right? |
| 30 |
|
| 31 |
There are folks who seriously take this into consideration. I don't |
| 32 |
necessarily agree with them, though. |
| 33 |
|
| 34 |
|
| 35 |
Best regards, |
| 36 |
Chí-Thanh Christopher Nguyễn |
Archives