Re: ifupdown writes to /etc... a bug?

To: Brian May <bam@debian.org>
Cc: John Hasler <john@dhh.gt.org>, debian-devel@lists.debian.org
Subject: Re: ifupdown writes to /etc... a bug?
From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
Date: 26 Mar 2003 20:07:04 +0100
Message-id: <[🔎] 878yv2dk13.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20030322231347.GA21934@snoopy.apana.org.au>
References: <[🔎] 20030310124920.GA32489@diamond.madduck.net> <[🔎] 20030321200228.GA8338@lapdog> <[🔎] 013f01c2f075$d6517e20$a2b89bd9@banana.org.uk> <[🔎] 200303221606.21710.russell@coker.com.au> <[🔎] 87smtfidg8.fsf@toncho.dhh.gt.org> <[🔎] 20030322231347.GA21934@snoopy.apana.org.au>

Brian May <bam@debian.org> writes:

> On Sat, Mar 22, 2003 at 10:16:39AM -0600, John Hasler wrote:
> > Russell Coker writes:
> > > My suggestion to make a minor change to the file naming scheme under
> > > /usr/share to make things easier for SE Linux was shot down even though
> > > it would take very little effort to implement.  This ro-root idea takes
> > > considerably more work to implement and I think that it provides
> > > considerably less benefit.
> > 
> > R/o root also provides a degree of protection against buggy programs and
> > admin errors.  I prefer to minimize the number of r/w partitions.
> 
> RO root on CDROM means you need to create a new CDROM for every upgrade.

Ever heard of CDRW? Does none of your harddisks have a RO jumper?
Using CDR for this would be hard on the environment.

> On the positive side, this means reverting back to an older version
> in case anything is broken with the new version is easy.
> 
> Another potential benifit is that it makes it easier to have all Linux
> routers for instance running a consistant set of Packages, you just
> check that the CDROM is the same version (although there might be issues
> here with variable configuration that still need to be resolved).
> No need to inspect every individual router if a security hole is
> discovered in one, just update the CDROM and distribute as required by
> the organisation's security policy.

nfs mount. / as nfs-root and then you mount server:hostname/etc over
the existing one.

> On the negative side, this means fiddling around with new network
> connections, etc, could be a pain in the neck, as you have to create and
> test a new CDROM each time.

nomore than any other system.

> As to which security tool you use, it really depends on what you are
> trying to secure yourself against. A RO filesystem does nothing to
> prevent looking at private files and/or sniffing the network interfaces
> for passwords, you need something like SE-Linux for that. However, there
> are some features a RO source can have (like those mentioned above) that
> SE-Linux doesn't provide.

So many people want to do a md5sum check of all their files after
being hacked. Why bother? Just press reset, boot from CD and all is
back to the state before the attack.

MfG
        Goswin

Reply to:

References:
- ifupdown writes to /etc... a bug?
  - From: martin f krafft <madduck@debian.org>
- Re: ifupdown writes to /etc... a bug?
  - From: Tommi Virtanen <tv@debian.org>
- Re: ifupdown writes to /etc... a bug?
  - From: "Matt Ryan" <mryan@debian.org>
- Re: ifupdown writes to /etc... a bug?
  - From: Russell Coker <russell@coker.com.au>
- Re: ifupdown writes to /etc... a bug?
  - From: John Hasler <john@dhh.gt.org>
- Re: ifupdown writes to /etc... a bug?
  - From: Brian May <bam@debian.org>

Prev by Date: Re: ifupdown writes to /etc... a bug?
Next by Date: (no subject)
Previous by thread: Re: ifupdown writes to /etc... a bug?
Next by thread: Re: ifupdown writes to /etc... a bug?
Index(es):
- Date
- Thread