From owner-freebsd-security  Tue Jan 23 05:44:55 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA17868
          for security-outgoing; Tue, 23 Jan 1996 05:44:55 -0800 (PST)
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA17853
          Tue, 23 Jan 1996 05:44:45 -0800 (PST)
Received: from uucp2.UU.NET by relay5.UU.NET with SMTP 
	id QQzztm01108; Tue, 23 Jan 1996 08:44:38 -0500 (EST)
Received: from uanet.UUCP by uucp2.UU.NET with UUCP/RMAIL
        ; Tue, 23 Jan 1996 08:44:39 -0500
Received: by crocodil.monolit.kiev.ua; Tue, 23 Jan 96 15:42:18 +0200
Received: (from dk@localhost) by dog.farm.org (8.6.11/dk#3) id OAA00822; Tue, 23 Jan 1996 14:46:11 +0200
Date: Tue, 23 Jan 1996 14:46:11 +0200
From: Dmitry Kohmanyuk <dk@dog.farm.org>
Message-Id: <199601231246.OAA00822@dog.farm.org>
To: nate@sri.MT.net (Nate Williams)
Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org
Subject: Re: ssh /etc config files location..
Newsgroups: cs-monolit.gated.lists.freebsd.security
Reply-To: dk+@ua.net
X-Newsreader: TIN [version 1.2 PL2]
Sender: owner-security@freebsd.org
Precedence: bulk

In article <inj.c-31044139-4fc0@bee.cs.kiev.ua> you wrote:
> > still don't like things touching /etc though.  I don't see why we
> > should make exceptions for ports that install into /usr/local if they
> > happen to have host specific configurations, that's something that the
> > local NFS admin should sort out. You'll have exactly the same problem
> > if you administer diskless machines.

> Agreed.  I don't see an easy answer to this, but the current system is
> unacceptable for hosts that share /usr/local.

oh guys, but we can just make a symlink!

NFS mount your /usr/local and just have /usr/local/etc pointing to 
/etc/local.  It's just so plain easy.  

(or make a /usr/local/etc/ssh -> /etc/ssh if ssh uses a directory for
its config files).

Maybe this should become a policy??
Hmm, somebody should now argue that security problem with NFS spoofing
remains. Yes.  But having setuid root binaries in /usr/local is not
more dangerous anyway.  

I have read Linux's FSSTND document (available 
from tsx-11.mit.edu in /pub/linux/docs/linux-standards/fsstnd),
and these guys seems to do it right. (i.e., _all_ host-dependend stuff 
is not under /usr).

On my system, I have /var/links and /usr/X11/bin/X -> /var/links/X11/X
which in turn points back to /usr/X11/bin/XF86_<server_for_this_host>

also, /usr/share/man/cat* should _NOT_ reside in /usr, but rather in 
/var/man (or /var/catman??)

Since it now seems to move from -security topic, I cross-post it to 
-hackers.


--
"C makes it easy to shoot yourself in the foot, C++ makes it harder,
but when you do, it blows away your whole leg" -- Bjarne Stroustrup