[1213] in linux-security and linux-alert archive
Re: [linux-security] Linux firewall with ro fs?
daemon@ATHENA.MIT.EDU (Daniel Pewzner)
Sat Oct 12 07:42:49 1996
Date: Tue, 8 Oct 1996 22:48:30 -0700 (PDT)
From: Daniel Pewzner <vegi@eskimo.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.961007102811.3463A-100000@blackhole.kfki.hu>
I thought about putting an entire fs on cdrom. With the current
price or cdrom writers, you could just burn another when you need to
update. I know its wasteful, but its a fun idea. Not all motherboards
boot of cdrom, of course.
When booting, create a little ramdisk you can write to, and have writable
files a sym link to the ramdisk. Use a printer for your syslogs, so you
have a hardcopy.
Its probably not something I'll ever do, but sounds cool ;)
On Mon, 7 Oct 1996, Jozsef Kadlecsik wrote:
> I'm thinking on building a firewall with Linux and have just thought
> the following: I'm paranoid on firewalls and want it to be as secure
> as possible. Is there any difficulty in running Linux with all
> filesystems ro? (The only writable fs would be /var = noexec, nosuid,
> nodev.) The mount command would be a patched one which wouldn't
> make possible to re-mount an fs to r/w.
>
> [REW: Good idea. Remember to make /tmp a link to /var/tmp. Don't
> bother with the mount thing. I'd assume that the hackers would be
> able to get themselves a new mount binary. (If they are already running
> stuff as root.......)
>
> I'd suggest delving into the kernel sources and finish off implementing
> "securelevel" which would disallow reading/writing devices, and remounting
> filsystems r/w, loading modules etc etc..]