[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How efficient is mounting /usr ro?

On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
> In article <20031014175455.GH20556@dijkstra.csh.rit.edu> you wrote:
> > A read-only /usr is not a security measure.
> Depends on your definition og it-security. It reduces downtime, prevents
> some admin and software failures and therefore is a security measure.

So is a tape backup a security measure?  What about a UPS?  Is ECC memory a 
security measure?  I guess it's a security measure to buy rack mount servers 
from companies such as Dell rather than assembling your own white-box 
machines then.  :-#

Security is about protection from unauthorised access and keeping the system 
running in the face of attack.  A read-only /usr does not help this in the 
regular case as anyone who has permissions to modify files under /usr also 
has permissions to remount it read-write.

Any measure you take to prevent remounting /usr will probably also prevent 
file writes as well, so having it mounted read-only gains little.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: