Re: no deprecation of /usr as a standalone filesystem

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: Goswin von Brederlow <goswin-v-b@web.de>, Josselin Mouette <joss@debian.org>, debian-devel@lists.debian.org
Subject: Re: no deprecation of /usr as a standalone filesystem
From: Pierre Habouzit <madcoder@madism.org>
Date: Mon, 1 Jun 2009 21:34:11 +0200
Message-id: <[🔎] 20090601192850.GA4797@artemis.corp>
In-reply-to: <[🔎] 20090601180802.GC24704@khazad-dum.debian.net>
References: <20090531174300.GA21911@bongo.bofh.it> <[🔎] 1243844895.6045.11.camel@tomoyo> <[🔎] 877hzwryxz.fsf@frosties.localdomain> <[🔎] 20090601124938.GA23334@laphroaig.corp> <[🔎] 87vdngxa0j.fsf@frosties.localdomain> <[🔎] 20090601160121.GA4252@laphroaig.corp> <[🔎] 20090601180802.GC24704@khazad-dum.debian.net>

On Mon, Jun 01, 2009 at 03:08:02PM -0300, Henrique de Moraes Holschuh wrote:
> On Mon, 01 Jun 2009, Pierre Habouzit wrote:
> > Think again, if I do such a package, I would obviously check with some
> > kind of trivial perl programm if the device containing /usr/lib/rootkit
> > is mounted with nodev, would use mount -o remount,dev on the problematic
> > mount point in the preinst, let the unpacking happen, and remount
> > properly in the postinst.
> 
> AFAIK, nodev blocks device nodes from _WORKING_ as well.
> 
> Anyway, one would need to just remount it "dev" as root to exploit.
> 
> Of course, when you have el-crap-o pathbased security plus something locking
> down remounts, the above is an attack vector that separate /usr could close.
> Not something someone using SE Linux would need to care about, though.
> 
> > And if you really care about those extra bits of performance, then what
> > I'd do is _not_ to not encrypt /usr but rather to let / be unencrypted,
> 
> And now you need /etc as a separate partition, which is a lot worse to pull
> off than /usr as a separate partition...

cat >> /etc/fstab
/srv/localhost/etc / auto bind
^D
mount /etc

done
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Reply to:

Follow-Ups:
- Re: no deprecation of /usr as a standalone filesystem
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Re: no deprecation of /usr as a standalone filesystem
  - From: Josselin Mouette <joss@debian.org>
- Re: no deprecation of /usr as a standalone filesystem
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: no deprecation of /usr as a standalone filesystem
  - From: Pierre Habouzit <madcoder@madism.org>
- Re: no deprecation of /usr as a standalone filesystem
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: no deprecation of /usr as a standalone filesystem
  - From: Pierre Habouzit <madcoder@madism.org>
- Re: no deprecation of /usr as a standalone filesystem
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Bug#531221: okular: Arbitrarily enforces DRM
Next by Date: Bug#474191: ITP: iceweasel-downloadstatusbar -- Iceweasel addon that provides an improved download statusbar
Previous by thread: Re: no deprecation of /usr as a standalone filesystem
Next by thread: Re: no deprecation of /usr as a standalone filesystem
Index(es):
- Date
- Thread