Talking of standard fprobihitilssions at the file-system level: | > / rw,nosuid | > /usr ro | > /var rw,nosuid | > /home rw,nosuid | > /tmp rw,nosuid | > /usr/local ro | | excellent thinking. Does anyone have any problems with this philosophy? | I noticed some systems around here with /sbin/su and /sbin/sulogin. | These would be disabled if the above conditions were met. | Is this a problem? Anything else break? I'm personnally using this strategy since SunOS 3.5.2. I've been using it for nearly 5 years now, without any problem. I've never tried to install anything under /usr, for example, in place of the standard /usr/local, I'd advise to use a /local. With this method, tempering with standard binaries or installing a setuid file couldn't be done without rebooting the system. And long before Sun gave that possibility at the PROM level, there are easy methods to make any reboot of a system very hard, even to someone having a physical access to the keyboard. -- dan ``Et pourtant ga tourne....''