Henrique de Moraes Holschuh <h...@debian.org> writes:
> On Sun, 03 Apr 2011, Goswin von Brederlow wrote:
>> Henrique de Moraes Holschuh <h...@debian.org> writes:
>> > On Thu, 31 Mar 2011, Goswin von Brederlow wrote:
>> >> > /etc/adjtime
>> >
>> > This needs to survive reboots, and it is also needed early in the boot.
>> > It is used to correct the RTC syndrome.
>> >
>> > I am at a loss about how it could be made compatible with RO /.
>>
>> So my clock is sightly wrong during boot until the ntpd/chrony/ntpdate
>> fixes it. It doesn't give errors so i can live with that.
>
> *Your* clock is slightly wrong, but there are a lot more than just slightly
> wrong clocks out there. You likely don't leave the box turned off for a
> long while, either, and you're usually online so you can use
> ntp/chrony/ntpdate. /etc/adjtime can do wonders to offline boxes, and to
> boxes that are not turned on that often.
>
> OTOH, refreshing my knownledge of this stuff (which I haven't needed for a
> while because right now I have no boxes that stay offline for too long)
> shows that the interaction with a RO / is not too bad (see adjtimex(8),
> http://linuxcommand.org/man_pages/adjtimex8.html).
>
> It looks like we can assume that automatic adjustment of /etc/adjtime will
> only happen where the local admin really knows what he is doing, and manual
> adjustment has never been a problem in the first place.
>
> So, /etc/adjtime must remain where it is, but it can be RO.
That was what I was saying. You cut the part about running read-write
for a while to get the /etc/adjtime primed.
>> >> > /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to
>> >> > fix)
>> >>
>> >> Don't have that. Fix denyhosts to link that to /var/ (or /run when we
>> >> have it).
>> >
>> > Has to be available before any tcp-wrapped network service is started.
>>
>> I guess you could just have a /etc/defaults/hosts.deny that you copy to
>> /run and link /etc/hosts.deny -> /run/hosts.deny before starting
>> tcp-wrapped network services.
>
> No. The fix is to leave /etc/hosts.{deny,allow} alone, and instead fix
> anything that likes to write to them to not do it, and use the extended
> syntax that allows one to read the hosts to block/allow from a separate
> file. Maybe add something that updates the files in /etc at shutdown as
> well.
Works too. I hope that extended syntax allows mentioning a file that is
not yet there. Or would you then get errors about file not found early
during boot?
> Anything else will be playing funny chance games with system security.
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87lizqzc4q.fsf@frosties.localnet
