cendres at videotron.ca
Sat Jan 10 13:36:53 PST 2004
On January 10, 2004 04:18 pm, Amanda Lynn Rossmiller wrote:
> > Read only root filesystem on first boot.
> sounds fun - what's it do?
To keep / from filling up and causing a denial of service.
> > If I remember right glibc or gcc make install attempts to send mail to
> > gnu after a successfull build. This is a privacy problem and should be
> > broken, if it actualy works.
> shouldn't take more than a small patch..
> what does it try to invoke? mail/sendmail ?
sed is probably enough. mail or sendmail yes.
> > Coreutils
> > -Replace /bin/false and /bin/true.
/bin/false is used in login rejection. Anything involved in that should be
safe. The only thing false is supposed to do is return 1 and exit. Gnu's
false does more by accepting --help and --version arguments. So, at least in
my opinion, gnu false is unsafe for its task.
> > -If su is going to be used, sgid might be better.
> what's the matter with su?
Why should everyone have equal access to su? selinux/rsbac fixes this though.
> > Findutils
> > -Move /usr/var/locatedb to /var so /usr could posibly be read only. Also
> > if this database is owned by another user (bin) updatedb doesn't need to
> > run as root.
> isn't this default for lfs anyways?
> i don't recall having a /usr/var on my current lfs.
I think it gets created by updatedb. The default db can be changed in the
command options too.
More information about the hlfs-dev