AWS linux documentation change
Summary
Clarified /usr hierarchy usage rules and formatting changes to section headers
Security assessment
The changes emphasize that /usr should remain read-only except for package manager operations, which helps prevent unauthorized modifications. While this reinforces security best practices, there's no evidence of addressing a specific vulnerability. The documentation adds guidance about secure system configuration.
Diff
diff --git a/linux/al2023/ug/filesystem-slash-usr.md b/linux/al2023/ug/filesystem-slash-usr.md index 707887918..2936a3fe4 100644 --- a//linux/al2023/ug/filesystem-slash-usr.md +++ b//linux/al2023/ug/filesystem-slash-usr.md @@ -7 +7 @@ -# `/usr` System Resources +# `/usr` (System Resources) @@ -9 +9 @@ -The `/usr` hierarchy is for vendor supplied Operating System resources. Except for the `/usr/local` hierarchy, nothing should modify anything under `/usr` except the OS package manager. +The `/usr` hierarchy is for vendor supplied Operating System resources. Except for the /usr/local hierarchy, nothing should modify anything under `/usr` except the OS package manager. @@ -11 +11 @@ The `/usr` hierarchy is for vendor supplied Operating System resources. Except f -Software must assume that `/usr` can be read-only, and must not use it for volatile data, or data that changes outside of package installation/removal as done by the OS package manager. +Software applications must assume that `/usr` can be read-only. The `/usr` hierarchy must not be used for volitile data. Except for /usr/local, the `/usr` hierarchy must not be used for any data that is added or changed outside of package installation/removal as done by the OS package manager. The OS package manager may assume that all of the `/usr` hierarchy (except /usr/local) is the same mountpoint. @@ -13 +13,3 @@ Software must assume that `/usr` can be read-only, and must not use it for volat -## `/usr/bin`: Executables +Software being installed outside of the OS package manager should not store data in `/usr` as this may impede any future invocation of the OS package manager. The /usr/local hierarchy is the exception, and is reserved for software outside of the OS package manager. + +## `/usr/bin` (Executables) @@ -17 +19 @@ Executable files which should appear in the standard search `$PATH`, and are use -## `/usr/include`: C/C++ Headers +## `/usr/include` (C/C++ Headers) @@ -21 +23 @@ The `/usr/include` directory contains C and C++ header files, usually contained -## `/usr/lib` and `/usr/lib64`: Shared libraries +## `/usr/lib` and `/usr/lib64` (Shared libraries) @@ -27 +29 @@ The `/usr/lib` path is for static data from OS packages which is compatible with -## `/usr/local`: System administrator installed software +## `/usr/local` (System administrator installed software) @@ -31 +33 @@ On Amazon Linux 2023, the `/usr/local` path is available for the system administ -## `/usr/share`: Shared resources +## `/usr/share` (Shared resources) @@ -35 +37 @@ Shared resources such as documentation, fonts, and time zone data live in `/usr/ -### `/usr/share/doc`: shared resources +### `/usr/share/doc` (Documentation)