>> / rw,nosuid >> /usr ro >> /var rw,nosuid >> /home rw,nosuid >> /tmp rw,nosuid >> /usr/local ro >excellent thinking. Does anyone have any problems with this philosophy? It is difficult to maintain things this way in a dynamic environment. If you've set up the system, and don't expect to update your software again, it's great and secure. But I don't know of many sites that don't update things from time to time, and some of us pretty frequently. I could presumably get around that with /usr/local on a seperate rw filesystem, but then we're back to square one.