Re: How efficient is mounting /usr ro?
"Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:
> * Tarjei Huse <tarjei@bergfald.no> [031009 10:55]:
>> The Securing Debian manual suggest one should set the /usr partition to
>> ro and use remount when you install new programs.
>> I was just wondering how much security one gains with this.
>
> I do not think one gets much security out of it. I think the most
> security one gets by this is that this way /usr has no chance to
> go corrupt when de power supply fails and less possible corruption
> make it less propable that a corruption helping an attacker accours.
I agree. If you are looking for this kind of security, your best bet
is to set the immutable bit on all of your system files. That will
ensure that only a reboot in single user mode will allow these files
to be changed. (Make sure you set immutable the system boot scripts
as well)
--
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services
Reply to: