著者: Laurent Bercot 日付: To: dng 題目: Re: [Dng] [dng] vdev status updates
On 02/05/2015 09:43, marcxdv@??? wrote: >> 0700 for root-only binaries would hide them from your shell's
>> autocompletion.
>
> Which would be lots of stat() system calls.
If a shell doesn't make them, then it doesn't verify that a file is
executable either. (I just checked with zsh: it doesn't indeed.)
Sure, few people will install non-executable files in PATH search
locations, but if autocompletion doesn't guarantee that a filename
it prints will be executable, then it shouldn't be relied on, and
it's not a good argument for /bin and /sbin separation.
> Also on paranoid systems /sbin and /usr/sbin can itself be made 0700 or
> 0750, so that random users can't even work out what admin commands might
> be there (hide suid exploits)
I don't support security through obscurity, and you shouldn't either.
> Or /sbin can be deleted/omitted entirely on containers/virtual images
> where all admin has been done already.
People who tailor images with exactly the binaries they need will do
it regardless of the location of those binaries. If you don't need
/sbin/route, you probably don't need /bin/mount either.
> So there are very good reasons for keeping the classic/standard layout.