netfilter firewalling problems and solutions

Robert Connolly cendres at videotron.ca
Sun Feb 22 20:13:02 PST 2004


On February 22, 2004 09:51 pm, Archaic wrote:
> On Sun, Feb 22, 2004 at 07:50:35PM -0500, Robert Connolly wrote:
> > I dont want coreutils su to overwrite shadow su, in the event coreutils
> > gets reinstalled. But not just coreutils, anything. It should give a
> > permission denied, or like 'cp -i', if make install tries to copy to a
> > file that already exists. This isn't on my todo list yet. It might be a
> > while before I try to put this into practice.
>
> Okay. So you want to use chattr +i to do this? If so, that would work
> even if root installed a package, because root can't even overcome
> immutability without explicitly running chattr -i on a file. So now, I
> see no reason for an lfs user. Are there any other reasons for this
> user? BTW, I've said before, but just to be clear to anyone who might
> come across this thread mid-way, chattr is only for ext2/3, so it's use
> requires limiting possibilities. Something one needs to watch out for
> lest they get bitten by it.

Chattr would work but its slow and not portable. Maybe acls would be best. 
Regardless who owns the finished system its still better to run make as user 
lfs, but without a sudo system thats hard to manage.





More information about the hlfs-dev mailing list