[2757] in bugtraq
Re: Read only devices (Re: BoS: amodload.tar.gz - ...)
daemon@ATHENA.MIT.EDU (Sean Vickery)
Thu Jun 20 23:10:01 1996
Date: Fri, 21 Jun 1996 11:57:16 +1000
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Sean Vickery <S.Vickery@its.gu.edu.au>
X-To: Patrick Ferguson <patrick@chloe.dmv.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of "Thu, 20 Jun 1996 19:50:09 -0400."
<Pine.BSF.3.91.960620194147.3380A-100000@chloe.dmv.com>
On 20 June 1996, Patrick Ferguson wrote:
> Instead of the hassle of dealing with that, properly configure your
> filesystems. Since you can mount a filesystem at any point in the tree,
> why not just spend some extra time and diagram out which directories will
> be write accessed the least and mount them read-only. Even superuser privs
> can't violate ro mounting.
>[...]
Mounting filesystems containing system binaries read-only does not
sound as safe as turning on the hardware write-protect on the disks
containing those filesystems.
Why? If an attacker can alter your system binaries, s/he must have root
privileges. Which means s/he can also unmount the filesystems and
remount them read-write. But to change the disk back to read-write
cannot be done over the network. It requires physical access to the
disk(s).
Sean.
--
Sean Vickery <S.Vickery@its.gu.edu.au> Ph: +61 (0)7 3875 6410
Systems Programmer Information Services Griffith University
