[1213] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Linux firewall with ro fs?

daemon@ATHENA.MIT.EDU (Daniel Pewzner)
Sat Oct 12 07:42:49 1996

Date: Tue, 8 Oct 1996 22:48:30 -0700 (PDT)
From: Daniel Pewzner <vegi@eskimo.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.961007102811.3463A-100000@blackhole.kfki.hu>

I thought about putting an entire fs on cdrom.  With the current
price or cdrom writers, you could just burn another when you need to
update.  I know its wasteful, but its a fun idea.  Not all motherboards
boot of cdrom, of course.

When booting, create a little ramdisk you can write to, and have writable 
files a sym link to the ramdisk. Use a printer for your syslogs, so you
have a hardcopy.

Its probably not something I'll ever do, but sounds cool ;)

On Mon, 7 Oct 1996, Jozsef Kadlecsik wrote:
> I'm thinking on building a firewall with Linux and have just thought 
> the following: I'm paranoid on firewalls and want it to be as secure
> as possible. Is there any difficulty in running Linux with all 
> filesystems ro? (The only writable fs would be /var = noexec, nosuid, 
> nodev.) The mount command would be a patched one which wouldn't
> make possible to re-mount an fs to r/w.
> 
> [REW: Good idea. Remember to make /tmp a link to /var/tmp. Don't 
> bother with the mount thing. I'd assume that the hackers would be 
> able to get themselves a new mount binary. (If they are already running
> stuff as root.......)
> 
> I'd suggest delving into the kernel sources and finish off implementing
> "securelevel" which would disallow reading/writing devices, and remounting
> filsystems r/w, loading modules etc etc..]

home help back first fref pref prev next nref lref last post