From owner-freebsd-questions@FreeBSD.ORG Tue Aug 1 19:04:18 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6938116A4DF for ; Tue, 1 Aug 2006 19:04:18 +0000 (UTC) (envelope-from freminlins@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id C554A43D70 for ; Tue, 1 Aug 2006 19:04:09 +0000 (GMT) (envelope-from freminlins@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so363877nfc for ; Tue, 01 Aug 2006 12:04:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mZrNZkxqIBwWwNjQShlZ9ex5/G8d20li6L3kqacuTYPTIVZOXbUlZ3j8fXohdHESSPiNSqgAggcVakBsJhS6AMzS2dYM/ZwlVRNveoQW2PlyatmOaKPQd3IKQmbxRao/xJJdPAjHSsSl/B+um6hayaY52OqMpKlD4Wwact27TMg= Received: by 10.49.19.18 with SMTP id w18mr1281995nfi; Tue, 01 Aug 2006 12:04:08 -0700 (PDT) Received: by 10.48.208.6 with HTTP; Tue, 1 Aug 2006 12:04:08 -0700 (PDT) Message-ID: Date: Tue, 1 Aug 2006 20:04:08 +0100 From: Freminlins To: "=?ISO-8859-1?Q?Erik_N=F8rgaard?=" In-Reply-To: <44CF9305.7050907@locolomo.org> MIME-Version: 1.0 References: <20060801053719.GA6735@fast> <44CEF9EB.3080807@locolomo.org> <44CF7279.5040504@locolomo.org> <44CF9305.7050907@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Tyler Spivey Subject: Re: switching from linux to freebsd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Aug 2006 19:04:18 -0000 On 01/08/06, Erik N=F8rgaard wrote: If you configure your server using LDAP or NIS for user management then > you only need to mount the root file system rw when updating the base > system or changing root password. Add the MAC and you will likely be > able to protect further against the attack you mention. Or when you want to patch or install other software, unless you put /usr/local on its own partition. And put /usr/ports somewhere else. And don't tinker with anything in /etc/mail. I think we're just going to disagree on this. I have never yet seen a situation where mounting the OS disk ro proved to b= e useful. I have seen it hinder perfectly normal sysadmin work. I have seen one instance in 10 years where it would have stopped a silly mistake (someone moved libc on Solaris). But as that person was doing something they were supposed to be doing and just made a mistake, they woul= d have made the same mistake after mounting the disk rw if it had been mounte= d ro. Cheers, Erik Cheers, Frem.