On Sat, Aug 22, 2015 at 07:16:31PM +0200, Emmanuel Dreyfus wrote: > Hello > > We have a rogue test that appends log data to an incorrect open file > descriptors, clobebring various system and library files with logs. That > quickly renders regression slaves unusable. > > I tried an exepriment to thwart that threat: NetBSD FFS filesystem > features an immutable flag, which tells even root cannot modify the > file. I applied it on nbslave7[1-j] for the following files and > directories (and their children) > /.cshrc /.profile /altroot /bin /boot /boot.cfg /etc /grub /lib /libdata > /libexec /netbsd /netbsd7-XEN3PAE_DOMU /opt /rescue /root /sbin /stand > /usr > > Let me know if it is too wide and causes trouble. If anyone wants to > experiment: > Recursively (-R) installs the flag in /usr: > chflags -R uchg /usr > Recursively remove it: > chflags -R nouchg /usr > > We also have schg/noschg, which can be set at any time but can only be > removed by root in a single-user shell. I ruled out this because I am > not sure rackspace console access lets us use single user mode.
Great idea! I was thinking of something like SElinux, but that is obviously not available for NetBSD. Thanks for setting this up and checking on its progress, Niels
pgpapVVo4E8Um.pgp
Description: PGP signature
_______________________________________________ Gluster-infra mailing list Gluster-infra@gluster.org http://www.gluster.org/mailman/listinfo/gluster-infra
