Re: How efficient is mounting /usr ro?

To: debian-security@lists.debian.org
Subject: Re: How efficient is mounting /usr ro?
From: Ted Cabeen <secabeen@pobox.com>
Date: Thu, 09 Oct 2003 10:25:01 -0700
Message-id: <[🔎] 87k77eb9xu.fsf@gray.impulse.net>
In-reply-to: <[🔎] 20031009143312.A5308@ganymed.informatik.uni-freiburg.de> (Bernhard R. Link's message of "Thu, 9 Oct 2003 14:33:12 +0200")
References: <[🔎] 1065688451.3033.73.camel@elprinsessekaja.mail.nu.no> <[🔎] 20031009143312.A5308@ganymed.informatik.uni-freiburg.de>

"Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:

> * Tarjei Huse <tarjei@bergfald.no> [031009 10:55]:
>> The Securing Debian manual suggest one should set the /usr partition to
>> ro and use remount when you install new programs. 
>> I was just wondering how much security one gains with this. 
>
> I do not think one gets much security out of it. I think the most
> security one gets by this is that this way /usr has no chance to
> go corrupt when de power supply fails and less possible corruption
> make it less propable that a corruption helping an attacker accours.

I agree.  If you are looking for this kind of security, your best bet
is to set the immutable bit on all of your system files.  That will
ensure that only a reboot in single user mode will allow these files
to be changed.  (Make sure you set immutable the system boot scripts
as well)  

-- 
Ted Cabeen
Sr. Systems/Network Administrator
Impulse Internet Services

Reply to:

Follow-Ups:
- Re: How efficient is mounting /usr ro?
  - From: Robert Brockway <robert@timetraveller.org>

References:
- How efficient is mounting /usr ro?
  - From: Tarjei Huse <tarjei@bergfald.no>
- Re: How efficient is mounting /usr ro?
  - From: "Bernhard R. Link" <blink@informatik.uni-freiburg.de>

Prev by Date: Re: How efficient is mounting /usr ro?
Next by Date: Re: How efficient is mounting /usr ro?
Previous by thread: Re: How efficient is mounting /usr ro?
Next by thread: Re: How efficient is mounting /usr ro?
Index(es):
- Date
- Thread