Re: How efficient is mounting /usr ro?
On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
> In article <20031014175455.GH20556@dijkstra.csh.rit.edu> you wrote:
> > A read-only /usr is not a security measure.
> Depends on your definition og it-security. It reduces downtime, prevents
> some admin and software failures and therefore is a security measure.
So is a tape backup a security measure? What about a UPS? Is ECC memory a
security measure? I guess it's a security measure to buy rack mount servers
from companies such as Dell rather than assembling your own white-box
machines then. :-#
Security is about protection from unauthorised access and keeping the system
running in the face of attack. A read-only /usr does not help this in the
regular case as anyone who has permissions to modify files under /usr also
has permissions to remount it read-write.
Any measure you take to prevent remounting /usr will probably also prevent
file writes as well, so having it mounted read-only gains little.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page