Tim: >> Are there any known, current, problems with mounting certain things as >> read-only or noexec to minimise harm? Such as making /tmp and /home >> noexec? Or /usr read-only? Or any other suggestions? James Wilkinson: > I've got /tmp mounted nodev,noexec (and should probably mount /var the > same way). Well, I've found my first problem: Mounting /var with "noexec" means that CGI scripts won't run for the web server. Took me a few minutes of headscratching to realise what had gone wrong, as is the way when the problem happens some time after a change. I've temporarily removed "noexec" while I consider if I should move the /var/www/cgi-bin/ directory out of /var. > A read-only /usr sounds like more trouble than it's worth: it *will* > break yum updates. So you'll have to regularly remount it read-write > (while the system's on-line) to update the machine. Yes, that had been on my mind. I don't know if anything else writes to it. If the updates were less frequent I might be more inclined to try making it read-only. Of course, I could automate things by using a script to remount it as writable, run YUM, then remount as read-only. Then, I'd only have one thing to do. Naturally, I realise that the moment I've got FC4 running pat, it'll be outdated and I'll have to start over again with FC5. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
