From owner-freebsd-current@FreeBSD.ORG Mon Sep 26 21:14:25 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BAE7106566B; Mon, 26 Sep 2011 21:14:25 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 88EE58FC14; Mon, 26 Sep 2011 21:14:24 +0000 (UTC) Received: from WildRover.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id OAA17199; Mon, 26 Sep 2011 14:35:04 -0600 (MDT) Message-Id: <201109262035.OAA17199@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 26 Sep 2011 14:34:34 -0600 To: Benjamin Kaduk From: Brett Glass In-Reply-To: References: <201109260053.SAA25795@lariat.net> <201109260927.02540.jhb@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Mon, 26 Sep 2011 21:25:52 +0000 Cc: freebsd-current@freebsd.org Subject: Re: Experiences with FreeBSD 9.0-BETA2 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 21:14:25 -0000 At 12:03 PM 9/26/2011, Benjamin Kaduk wrote: >On Mon, 26 Sep 2011, John Baldwin wrote: > >>I can't speak to the "one-big-fs" bit (there was another thread >>long ago about >>that). However, as to the partitioning bit, bsdinstall is >>defaulting to using > >The question of how to layout and split filesystems was discussed >at the filesystems working group of the devsummit at BSDCan this >may. (http://wiki.freebsd.org/201105DevSummit/FileSystems down to >"Filesystem Layout" near the bottom) Though "one big root" did >not garner a huge amount of support, neither were there >particularly compelling arguments against it (if I remember >correctly). It's certainly easier to write an autopartitioner >for, so I don't really blame Nathan for having chosen it initially. My personal preference would be to place portions of the directory tree which contain critical configuration information and are not written in normal use -- e.g. /etc and /boot -- in one or more separate partitions. This would make it possible to mount them read-only unless the system configuration was being changed, new software was being installed, or a new kernel was being generated. This would protect them not only from malicious tampering but also from being scrambled by buggy userland software. And since it would not be written during normal operation, it would survive 100% intact even if journaling and/or serialization of metadata updates (e.g. softupdates) were to fail. Unfortunately, due to past history, /usr is mixed-use. It normally contains both configuration information -- e.g. /usr/local/etc -- and more volatile data such as users' home directories. This prevents /usr/local/etc, which also contains mission-critical configuration information, from being protected if you just protect /. Some proprietary Unices have fixed this historical flaw in the traditional hierarchy by moving /usr/local/etc to another location and them symlinking it back to where seasoned administrators expect it to be, thus honoring POLA. The three open source, old school BSDs (Free, Net, Open) have not done this to date, but it's something that should be considered in the long run. It would certainly make the creation of embedded systems easier, as well as enhancing security in multi-user systems! If I wrote an installer, my preference would be to have it create one partition that contained critical configuration information and software (and could be mounted read-only) and one that contained the rest of the usual directory tree (and could be mounted read-write). It could do the symlinking trick mentioned above to bring parts of /usr over to the read-only administrative partition. The only cleanup task that would remain would be to make sure that no ports were configured to place their logs, pid files, etc. in directories such as /usr/local/etc. (Most already do not.) --Brett