On Wed, Jan 27, 2010 at 04:10:39PM +0100, Benny Amorsen wrote: > > > Mounting the fs read only is much easier and safer - and has long tradition. > > This is not feasible as a distribution policy. You can't guarantee that > /usr/bin is on its own partition so you can mount it read only. of course it is not guaranteed. But it is not difficult to detect and I think plenty of sysadmins are doing it that way. Used to have many more advantages than just a marginal gain in security. Fedora certainly can not mandate this as a policy it would be nice if it would work with this common setup. > Also, the advantage of the proposed change was that it would not affect > e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the > same result, but not in a way which I consider sane. that would be indeed insane. But as has been mentioned rpm could have a hook to do some actions before and after modifying anything. > All in all I think it's a shame that the original proposal didn't work > out at this time. Having binaries owned by bin:bin does have Unix (but > not Linux AFAIK) tradition behind it. now that you mention bin:bin, I remember the old days. Richard -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
