Re: How efficient is mounting /usr ro?
"Michael Sharman" <michael.sharman@dytech.com.au> writes:
> >
> > No, it's an argument of efficacy. Removing rw from a mount doesn't
> > remove the ability to write to it for a malicious user. If it
> > gives you
> > warm fuzzies, great, do it. But that's all it's going to do for you.
> >
> > Mike Stone
> >
> >
>
> So the question is if mounting /usr without owner write permissions
> is effective in increasing security.
>
> Clearly it doesn't help protect from a malicious attacker installing
> a root kit after already compromising root privileges. Much better
> to run some kind of tripwire program to do integrity checking (and
> store the chesksums on a physically read only medium), but even this
> doesn't achieve much given the likes of
> http://phrack.org/show.php?p=52&a=18 for instance.
Sure it does. There is no exploit known to jumper my harddisk with
/ and /usr from RO to RW mode apart from breaking&entering.
> But maybe there is an argument for it in terms of protecting against
> accidental corruption of /usr, for example a process running as root
> has a bug that causes the corruption of files in /usr (but then why
> are we worrying only about /usr?).
Also common root-kits don't remount /usr RW so a lot of the premade
root-kits will fail. The little good that will do.
And I'm not only worry about /usr but mounting /home RO is hardly
possible.
MfG
Goswin
Reply to: