On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote: > > On Thu, 12 Apr 2007, Bernd Walter wrote: > > >On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote: > > > >>I just moved /usr over to a zpool on my -CURRENT system. Performance and > >>stability are both excellent so far. (Thanks Pawel!) However I noticed > >>that setting FS flags on files with chflags is not supported. Would it be > >>feasible to add support for flags on ZFS, and if so are there plans to do > >>so? > >> > >>If not (and/or in the meantime), are there any places in the base system > >>where flags are required for normal operation? (/var maybe?) > > > >Some binaries have such flags set, but it is not required, otherwise > >diskless NFS wouldn't work. I often see installworld warnings about beeing > >unable to set extended flags on ld.so and others on my diskless boxes. > > I'm not a big fan of setting these flags -- I fairly frequently run into > problems when I installworld an NFS root on the NFS host, then try to work > with it over NFS from the NFS-booted system, as the flags can't be removed > via NFS. They don't offer a security benefit as-installed, and perhaps > offer a benefit with respect to preventing people from shooting themselves > in the foot (or perhaps not). Yeah, historical intentions notwithstanding, the real benefit of schg flags on critical pieces is anti foot-shooting. e.g. you really don't want to accidentally delete ld-elf.so.1 or libc.so.7 or init. You can usually recover from this, but it can mess up your whole day :) Kris
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:08 UTC