---- Original message ---- >Date: Fri, 8 Dec 2006 02:32:01 -0500 (EST) >From: Woodchuck <[EMAIL PROTECTED]> >Subject: Re: mounting an svnd device on /var >To: misc@openbsd.org > >On Thu, 7 Dec 2006, Jacob Yocom-Piatt wrote: > >> it's not clear to me where the best place to mount a disk image is using >> vnconfig for the whole /var partition. this should obviously happen after >> mounting /usr. >> >> advice appreciated. >> >> cheers, >> jake > >For a start, I'd *guess* it could be mounted immediately after the >file-system containing its "regular file" (and of course /usr) is >mounted. If this file-system is not nfs, then that is at the first >occurences of "mount" in /etc/rc. (Around line 203 in 4.0). You >would add your vnconfig and mount command there. You now have a >"non-standard" /etc/rc. >
dave, thanks for your input! this is essentially where i was thinking about adding it. specifically, between lines 260 and 261: mount -s /usr >/dev/null 2>&1 mount -s /var >/dev/null 2>&1 i'll give this a shot. >You want it mounted before logging and any other process or daemon >that uses /var is run, including daemons that chroot to /var, notably >named. You probably want them running on the svnd, not "underneath" >it on whatever /var was before mounting the svnd. > correct >Note that if you plan on encryption, the vnconfig command will hang >waiting for the key. It uses a call to getpass(3) for the key, >which will read from /dev/tty. Usually /etc/rc executes with a >/dev/tty so I think that if you use vnconfg -k or -K in /etc/rc, a >human will have to intervene at boot time to enter the key. (I >don't know a cute, simple way (i.e. a shell trick) to execute >vnconfig without a controlling terminal, so it could read from its >stdin (presumably a disk file or maybe from some dongle-like Sekrit >Krypto Device) or if that would be a good idea anyway.) You could >hack vnconfig to read the key from a file, but that's kinda insecure. >I don't know your threat model. See man getpass(3). > i am aware that it will hang at the passphrase prompt, as i have a netbsd machine (ugh!) with cgd as my mailserver and it does just this on boot. using a dongle is a possibility, but i would rather enter a password over a serial console and/or use a salt file. the threat model is physical theft of the mailserver while i am not on-site and that the machine is running netbsd ;). cheers, jake >Hoping for further comments, > >Dave >-- > [In] all human groups at all times there are the few who rule > and the many who are ruled. > -- A. Livingston
