LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The case for the /usr merge

The case for the /usr merge

Posted Jan 27, 2012 1:10 UTC (Fri) by jmorris42 (subscriber, #2203)
Parent article: The case for the /usr merge

Gotta agree with this one. The whole OS is small enough to stuff on the small expensive media now and just mount it at /usr if that is what floats yer boat. It is /var and /home where the massive consumption happens these days.

And I kinda like the notion of having all of the executables and libraries on /usr where you can just mount it readonly and have done with 90% of potential exploits... especially you mount /tmp as a separate filesystem and remove exec. Then you only need to watch out for /etc.

(Log in to post comments)

The case for the /usr merge

Posted Jan 27, 2012 21:16 UTC (Fri) by nix (subscriber, #2304) [Link]

Quite. I moaned about this when it was first mooted, but on further analysis, I was wrong. So this means a tiny bit of futzing with your initramfs to boot /usr early. Big deal. (A bigger deal is that busybox mount could historically not handle as many filesystem options as real mount, so if you were using busybox mount, you had to mount filesystems with an artificially limited set of options, then remount them with different options once you'd switched roots. I'm not sure if this has changed in recent versions of busybox mount or not.)

The case for the /usr merge

Posted Jan 29, 2012 15:13 UTC (Sun) by kasperd (guest, #11842) [Link]

especially you mount /tmp as a separate filesystem and remove exec.

I wish I could have that level of security on the computer I use for e-banking. Unfortunately a couple of years ago it was decided that allowing banks to compete on the quality of their e-banking systems was not acceptable in such a civilized country as Denmark. Instead one company was granted a monopoly on handling authentication for e-banking. And every bank in this country is now required to use that centralised authentication system.

The vendor of that system is guaranteed to not lose market share to competitors, so they can do whatever they please. One consequence of that is that if I want to access any e-banking, I must have /tmp mounted with exec. Mounting it noexec will prevent me from logging on the banks website.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds