Bugtraq mailing list archives
Re: Read only devices (Re: BoS: amodload.tar.gz - ...)
From: mdz () netrail net (Matt Zimmerman)
Date: Thu, 20 Jun 1996 23:15:25 -0400
On Fri, 21 Jun 1996, Sean Vickery wrote:
On 20 June 1996, Patrick Ferguson wrote:Instead of the hassle of dealing with that, properly configure your filesystems. Since you can mount a filesystem at any point in the tree, why not just spend some extra time and diagram out which directories will be write accessed the least and mount them read-only. Even superuser privs can't violate ro mounting. [...]Mounting filesystems containing system binaries read-only does not sound as safe as turning on the hardware write-protect on the disks containing those filesystems. Why? If an attacker can alter your system binaries, s/he must have root privileges. Which means s/he can also unmount the filesystems and remount them read-write. But to change the disk back to read-write cannot be done over the network. It requires physical access to the disk(s).
Right...which makes a good case for using NFS instead, and exporting the filesystems read-only from a server which is hopefully less accessible to the general public and/or intruders (offering a very limited set of network services, etc.). Of course, then you have to deal with the usual NFS security issues (most of which can be avoided within reasonable limits by well-configured firewalls and TCP wrappers). // Matt Zimmerman Chief of System Management NetRail, Inc. // mdz () netrail net sales () netrail net // (703) 524-4800 [voice] (703) 524-4802 [data] (703) 534-5033 [fax]
Current thread:
- Read only devices (Re: BoS: amodload.tar.gz - ...) William McVey (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Patrick Ferguson (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Sean Vickery (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Matt Zimmerman (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Sean Vickery (Jun 20)
- <Possible follow-ups>
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Scott J. Kramer (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Brian Tao (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Don Lewis (Jun 20)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Matt Zimmerman (Jun 21)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Christopher Samuel (Jun 21)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Chris A. Petro (Jun 22)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) R.Arnold / Arny (Jun 24)
- Re: Read only devices (Re: BoS: amodload.tar.gz - ...) Patrick Ferguson (Jun 20)