Re: How efficient is mounting /usr ro?
On Thu, 09 Oct 2003 10:34:12 +0200
Tarjei Huse <tarjei@bergfald.no> wrote:
TH> Hi,
TH> The Securing Debian manual suggest one should set the /usr partition
TH> to ro and use remount when you install new programs.
TH> I was just wondering how much security one gains with this. Wouldn't
TH> most hackers go after the programs in the /bin and /sbin directories
TH> anyway?
Making /usr read-only is not for that kind of security. It will keep your data safe from corruption (soft one, anyway: a disk crash will take anything with it ;-). Besides, you can get a better performance formating it with ext2, since you'll not need journaling.
Now, there are ways to mount r-o /bin and /sbin, *and* to disable remounting them rw (unless you reset the box and provide a pass; its a kernel patch or something which's name I can't remember -- but I want to!!). There is some blurb about it here:
http://article.gmane.org/gmane.linux.debian.user/114759
And surely in other threads.
Reply to: