[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: no deprecation of /usr as a standalone filesystem

Pierre Habouzit <madcoder@madism.org> writes:

> On Mon, Jun 01, 2009 at 03:08:02PM -0300, Henrique de Moraes Holschuh wrote:
>> On Mon, 01 Jun 2009, Pierre Habouzit wrote:
>> > Think again, if I do such a package, I would obviously check with some
>> > kind of trivial perl programm if the device containing /usr/lib/rootkit
>> > is mounted with nodev, would use mount -o remount,dev on the problematic
>> > mount point in the preinst, let the unpacking happen, and remount
>> > properly in the postinst.
>> AFAIK, nodev blocks device nodes from _WORKING_ as well.
>> Anyway, one would need to just remount it "dev" as root to exploit.
>> Of course, when you have el-crap-o pathbased security plus something locking
>> down remounts, the above is an attack vector that separate /usr could close.
>> Not something someone using SE Linux would need to care about, though.
>> > And if you really care about those extra bits of performance, then what
>> > I'd do is _not_ to not encrypt /usr but rather to let / be unencrypted,
>> And now you need /etc as a separate partition, which is a lot worse to pull
>> off than /usr as a separate partition...
> cat >> /etc/fstab
> /srv/localhost/etc / auto bind
> ^D
> mount /etc
> done

And if that fails to mount:

go await, you don't exist.


Reply to: