| 1 |
On Mon, 12 Dec 2011 06:59:30 -0500 |
| 2 |
"Anthony G. Basile" <basile@××××××××××××××.edu> wrote: |
| 3 |
|
| 4 |
> How would you handle /etc/ ? You can't separate it from / which needs |
| 5 |
> to be exec and yet /etc/ needs to be writeable. |
| 6 |
|
| 7 |
What for after the main install, password changes (I use scripts |
| 8 |
allowed via sudo for that and monitor mounts globally but the monitoring |
| 9 |
could be improved like grsecs offering), some programs require it during |
| 10 |
install but not many, none on my OpenBSD mail and web servers. |
| 11 |
|
| 12 |
I'm in the process of attempting to complete this on Linux rather than |
| 13 |
just /home etc. but on OpenBSD and the plan for single user linux |
| 14 |
systems is to remount for updates, which is done in a controlled |
| 15 |
fashion. Most of the time and especially on servers on OpenBSD you only |
| 16 |
need to remount /usr/local. On those systems I use One Time Passwords |
| 17 |
and if some rare thing means I do need to remount / then sudo allows |
| 18 |
this, on others or on firewalls a reboot may be required if it's local |
| 19 |
and redundant or if that's not a problem. |
| 20 |
|
| 21 |
On OpenBSD desktops the only thing I did have to mount seperately was |
| 22 |
|
| 23 |
/etc/X11/xdm/authdir |
| 24 |
|
| 25 |
but I probably should have just made them single user/auto-login. Bigger |
| 26 |
problems on OpenBSD servers (no devfs) are ttys for multi-user systems |
| 27 |
or multiple ssh users needing tty permission changes, otherwise only |
| 28 |
sftp works for all other users, which could be a feature for |
| 29 |
me atleast ;-). Originally I was going to try mounting /dev seperately |
| 30 |
but the book Absolute OpenBSD Unix for the practical paranoid said |
| 31 |
you couldn't, I guess it would need to be built into the kernel to boot. |
| 32 |
|
| 33 |
There's also secure knocking that runs commands that may not need ttys |
| 34 |
but I think they have to be pre-ordained, but maybe not. |
Archives