[139] in linux-security and linux-alert archive
/usr/local/... file placement, and vendor security quality control
daemon@ATHENA.MIT.EDU (Andrew Cromarty)
Mon Mar 13 06:11:00 1995
Date: Sun, 12 Mar 95 23:21 PST
From: andy@distrib.com (Andrew Cromarty)
To: linux-security@tarsier.cv.nrao.edu
Cc: panzer@dhp.com
Reply-To: linux-security@tarsier.cv.nrao.edu
Matt (panzer@dhp.com) wrote:
> : for your information: the "rule" is that slackware comes with a clean
> : /usr/local. All that ends up there is yours.....
> Kinda strange way to do it, since have of slackware is made up of things
> that should be in /usr/local/bin. Again, this is personal taste, so
> whatever people like. :)
"Strange"---but it does follow the Linux File System Standard (FSSTND).
It leads to some peculiar file placements if you think of the whole
installation as "yours," but it makes sense and is convenient if you
think of the system as comprised of "a standard release, plus my
additions." Briefly, the FSSTND rationale is (simplifying slightly):
1. All "sbin" areas are "system" binaries (of interest to root only).
2. "/usr/..." areas are not guaranteed to be mounted at boot time, but
/sbin and /bin are, so the must-have binaries live there.
3. Distributions should leave the /usr/local... dirs empty, for "our" use.
Thus if you upgrade to a new Slackware package, in principle all your
customizations will be safe (won't get clobbered), since they're in an
area (/usr/local/...) that the new distribution doesn't touch.
To keep this topic Linux-security related, and proactive: given that the
FSSTND explicitly attempts to define what's "their vs. ours" in distributions,
we should be encouraging all the distribution bundlers to make "their"
file permissions as secure as possible. If we screw ours up, that's our
problem. But part of every Slackware/InfoMagic/Morse/RedHat/Yggdrasil/...
final quality control check should be ensuring that their product puts
_everything_ in the right place at the right permissions---and as the
Linux community's most security-conscious consumers, we on this list are
the well qualified to make the vendors/distributors aware of this
responsibility.
Imagine how quickly they get off their tails and work on this if, for
example, the members of this list "voted" regularly on the most secure
distribution and published the results of the vote as our collective
considered opinion on these product's security value.
cheers asc
