AWS Security ChangesHomeSearch

AWS linux documentation change

Service: linux · 2025-05-10 · Documentation medium

File: linux/al2023/ug/filesystem-slash-usr.md

Summary

Clarified /usr hierarchy usage rules and formatting changes to section headers

Security assessment

The changes emphasize that /usr should remain read-only except for package manager operations, which helps prevent unauthorized modifications. While this reinforces security best practices, there's no evidence of addressing a specific vulnerability. The documentation adds guidance about secure system configuration.

Diff

diff --git a/linux/al2023/ug/filesystem-slash-usr.md b/linux/al2023/ug/filesystem-slash-usr.md
index 707887918..2936a3fe4 100644
--- a//linux/al2023/ug/filesystem-slash-usr.md
+++ b//linux/al2023/ug/filesystem-slash-usr.md
@@ -7 +7 @@
-# `/usr` System Resources
+# `/usr` (System Resources)
@@ -9 +9 @@
-The `/usr` hierarchy is for vendor supplied Operating System resources. Except for the `/usr/local` hierarchy, nothing should modify anything under `/usr` except the OS package manager. 
+The `/usr` hierarchy is for vendor supplied Operating System resources. Except for the /usr/local hierarchy, nothing should modify anything under `/usr` except the OS package manager. 
@@ -11 +11 @@ The `/usr` hierarchy is for vendor supplied Operating System resources. Except f
-Software must assume that `/usr` can be read-only, and must not use it for volatile data, or data that changes outside of package installation/removal as done by the OS package manager. 
+Software applications must assume that `/usr` can be read-only. The `/usr` hierarchy must not be used for volitile data. Except for /usr/local, the `/usr` hierarchy must not be used for any data that is added or changed outside of package installation/removal as done by the OS package manager. The OS package manager may assume that all of the `/usr` hierarchy (except /usr/local) is the same mountpoint. 
@@ -13 +13,3 @@ Software must assume that `/usr` can be read-only, and must not use it for volat
-## `/usr/bin`: Executables
+Software being installed outside of the OS package manager should not store data in `/usr` as this may impede any future invocation of the OS package manager. The /usr/local hierarchy is the exception, and is reserved for software outside of the OS package manager. 
+
+## `/usr/bin` (Executables)
@@ -17 +19 @@ Executable files which should appear in the standard search `$PATH`, and are use
-## `/usr/include`: C/C++ Headers
+## `/usr/include` (C/C++ Headers)
@@ -21 +23 @@ The `/usr/include` directory contains C and C++ header files, usually contained
-## `/usr/lib` and `/usr/lib64`: Shared libraries
+## `/usr/lib` and `/usr/lib64` (Shared libraries)
@@ -27 +29 @@ The `/usr/lib` path is for static data from OS packages which is compatible with
-## `/usr/local`: System administrator installed software
+## `/usr/local` (System administrator installed software)
@@ -31 +33 @@ On Amazon Linux 2023, the `/usr/local` path is available for the system administ
-## `/usr/share`: Shared resources
+## `/usr/share` (Shared resources)
@@ -35 +37 @@ Shared resources such as documentation, fonts, and time zone data live in `/usr/
-### `/usr/share/doc`: shared resources
+### `/usr/share/doc` (Documentation)