Re: How efficient is mounting /usr ro?
Russell Coker <russell@coker.com.au> writes:
> On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote:
> > To stay on topic, I'm for keeping /usr and /usr/local read-only,
> > because really nothing should update them except for a few
> > programs under controlled circumstances (that's what makes
> > the enforcment of this policy cheap). In addition, it might
> > help you notice an intrusion.
>
> Unless you have a good auditing setup (none of the various auditing modules
> are available in Debian) then you probably won't notice an automated attack
> that is blocked by having a read-only file system. The attack may continue
> hitting you regularly until you remount it rw for an upgrade, at which time
> the attack will succeed.
>
> If you want security for such things then use SE Linux, systrace, RSBAC, or
> GRSEC. Don't waste time with ro mounts of /usr.
Mounting stuff read-only also prevents filesystem corruption in case
the system does crash and reduces the frequency of fscks if you reboot
frequently.
You can also just pull the network plug and go single user before
mounting /usr RW for updates.
MfG
Goswin
Reply to: