1 |
On Mon, 12 Dec 2011 06:59:30 -0500 |
2 |
"Anthony G. Basile" <basile@××××××××××××××.edu> wrote: |
3 |
|
4 |
> How would you handle /etc/ ? You can't separate it from / which needs |
5 |
> to be exec and yet /etc/ needs to be writeable. |
6 |
|
7 |
What for after the main install, password changes (I use scripts |
8 |
allowed via sudo for that and monitor mounts globally but the monitoring |
9 |
could be improved like grsecs offering), some programs require it during |
10 |
install but not many, none on my OpenBSD mail and web servers. |
11 |
|
12 |
I'm in the process of attempting to complete this on Linux rather than |
13 |
just /home etc. but on OpenBSD and the plan for single user linux |
14 |
systems is to remount for updates, which is done in a controlled |
15 |
fashion. Most of the time and especially on servers on OpenBSD you only |
16 |
need to remount /usr/local. On those systems I use One Time Passwords |
17 |
and if some rare thing means I do need to remount / then sudo allows |
18 |
this, on others or on firewalls a reboot may be required if it's local |
19 |
and redundant or if that's not a problem. |
20 |
|
21 |
On OpenBSD desktops the only thing I did have to mount seperately was |
22 |
|
23 |
/etc/X11/xdm/authdir |
24 |
|
25 |
but I probably should have just made them single user/auto-login. Bigger |
26 |
problems on OpenBSD servers (no devfs) are ttys for multi-user systems |
27 |
or multiple ssh users needing tty permission changes, otherwise only |
28 |
sftp works for all other users, which could be a feature for |
29 |
me atleast ;-). Originally I was going to try mounting /dev seperately |
30 |
but the book Absolute OpenBSD Unix for the practical paranoid said |
31 |
you couldn't, I guess it would need to be built into the kernel to boot. |
32 |
|
33 |
There's also secure knocking that runs commands that may not need ttys |
34 |
but I think they have to be pre-ordained, but maybe not. |