[2755] in bugtraq
Re: Read only devices (Re: BoS: amodload.tar.gz - ...)
daemon@ATHENA.MIT.EDU (Patrick Ferguson)
Thu Jun 20 21:27:29 1996
Date: Thu, 20 Jun 1996 19:50:09 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Patrick Ferguson <patrick@chloe.dmv.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199606202323.AA01977@gateway.fedex.com>
Instead of the hassle of dealing with that, properly configure your
filesystems. Since you can mount a filesystem at any point in the tree,
why not just spend some extra time and diagram out which directories will
be write accessed the least and mount them read-only. Even superuser privs
can't violate ro mounting.
For example: since /bin and /usr/bin are traditionally manufacturer
binaries, you would only need to write to them when you upgrade the
version of the OS you're running.
This allows greater control over the disk than by using it in r/o mode.
Of course, if you upgrade your system constantly or use if for alot of
system developement, this won't work as well.
------------------------------------------------------------------------------
Patrick Ferguson - Systems Administrator patrick@dmv.com
DelMarVa OnLine! - Salisbury, MD patrick@satyricon.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQBNAzGBrOQAAAECALpR8GMUAXnKbr9LeXVv18Q8y/n1NM1+YS8ffP/5HvM0gyso
F1T9+gcGvb3L2nFwj+wnig0UQY93vXqhXPoFN4UABRG0IlBhdHJpY2sgRmVyZ3Vz
b24gPHBhdHJpY2tAZG12LmNvbT4=
=AgnQ
-----END PGP PUBLIC KEY BLOCK-----
On Thu, 20 Jun 1996, William McVey wrote:
> Dana Bourgeois wrote:
> >With writeable CDROM drives around $700, has anybody considered setting up
> >their system from the Solaris CD, adding whatever software they need/want
> >to the machine and then backing the disk to WCDROM? It would seem that if
> >data files are backed up at regular intervals to the standard backup
> >system, the pure system could be quickly recreated any time there was a
> >question about break-ins. Maybe even on a regular basis.
>
> It seems to me that this is the same as performing backups of your
> system onto tape. You still have the problem of needing to know
> when you've compromised and needing to know what backup tapes (or
> CDs) are tainted with hostile bits.
>
> What would be really neat (albeit slow if you didn't have enough
> memory to keep common executables in core) would be running your
> operating system entirely off of cdrom (with perhaps things like
> /tmp, home directories and /var on disk). Then trojaning a system
> executable becomes very difficult indeed. Of course you really don't
> get much of an advantage from using a cdrom as opposed to using a
> disk with hardware write protection engaged.
>
> -- William
>
