[nycbug-talk] FreeBSD security document & tool. . .

Tillman Hodgson tillman
Fri Feb 18 12:28:38 EST 2005


On Fri, Feb 18, 2005 at 08:37:14AM -0500, steverieger wrote:
> To be honest with you
> 
> I have this exact issue with the fbsd folks (the developers not the users)
> 
> On my other os, I always mount /usr as read only, and all my sql and apache
> stuff goes elswhere, but the default fbsd setup puts the apache rootdir in
> /usr/local/www and sometimes the /var slice is a bit small to handle all my
> databases. 
> 
> But for any decent sys admin I recommend to always mount /usr as
> ro,nosuid,logging

I usually do mount /usr with restricted rights on boxes where the
ability to upgrade quickly isn't a concern (the security tradeoff for
thsi practice). But I also have /usr/local as a seperate partition (as
well as /usr/ports, /usr/obj and /usr/src -- those are usually remote
filesystems in my case anyway).

-T


-- 
There should be a science of discontent. People need hard times and oppression 
to develop psychic muscles.
	- from "Collected Sayings of Muad'Dib" by the Princess Irulan




More information about the talk mailing list