On Friday 17 February 2006 14:36, Rumen Yotov wrote: > Hi, > Please don't take this post as a signal for more battles. > IMHO there are many true facts from both of you. > Just a few point, as i have some (limited experience with hardened > systems). > 1.For 2-3 years using portage-tree in /var/portage, no problems so far, > all it takes is a symlink in /usr & change in /etc/make.conf file. > So i can mount all /usr as 'noexec'.
Forgive me for asking, but how is this possible??? The last time I checked (which was 2 minutes ago...), /usr is where almost all the executables on my system are - /usr/bin, /usr/kde/3.x, /usr/libexec, /usr/sbin... I kinda doubt that I'll ever take advantage of a setup like this (at least on this machine), but I am curious as to how that would work. For my own machine (notebook with only a 60g hd), I only run 4 basic partitions... /boot - 70 meg (big just in case I want extra kernels, splash screens, etc.) swap - 1/2 gig - kinda useless, since I upgraded the RAM from 256m to 2g :-) / - 35 gig - everything else Linux 25~ gig or so - Windows partition so I can run games in their native environment without hassles. Now, obviously, I haven't sub-partitioned my Linux stuff, mainly due to my concerns over a lack of space in general - I don't want to have to worry about ANY lost space to allow room on sub-partitions to not fill up to 100%. Now, if I had a 200 gig drive, I might not be so concerned with space, and it might make some sense for me to set up a few extra partitions. But I don't, and this works for my situation. As I said at the start, I'm simply curious how you would manage to mount the main executable storage area of your system as "noexec". -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-user@gentoo.org mailing list