[1198] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Linux firewall with ro fs?

daemon@ATHENA.MIT.EDU (Jozsef Kadlecsik)
Tue Oct 8 09:04:11 1996

Date: Mon, 7 Oct 1996 10:36:36 +0100 (MET)
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: linux-security@tarsier.cv.nrao.edu
cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
In-Reply-To: <199610062103.RAA06063@burgundy.eecs.harvard.edu>

Hello,

I'm thinking on building a firewall with Linux and have just thought 
the following: I'm paranoid on firewalls and want it to be as secure
as possible. Is there any difficulty in running Linux with all 
filesystems ro? (The only writable fs would be /var = noexec, nosuid, 
nodev.) The mount command would be a patched one which wouldn't
make possible to re-mount an fs to r/w.

[REW: Good idea. Remember to make /tmp a link to /var/tmp. Don't 
bother with the mount thing. I'd assume that the hackers would be 
able to get themselves a new mount binary. (If they are already running
stuff as root.......)

I'd suggest delving into the kernel sources and finish off implementing
"securelevel" which would disallow reading/writing devices, and remounting
filsystems r/w, loading modules etc etc..]



Any comments or hints?
Best regards,
Jozsef Kadlecsik
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          P.O.B 49 Budapest, 1525 Hungary

home help back first fref pref prev next nref lref last post