Rohde.Henning at gmx.net
Wed Oct 10 07:42:17 PDT 2001
hi everybody else,
hmm, Fergus, please explain what do you want to achive, what are you
You wonder why I'm asking although you've given quite some details?
The security-requirements for any system depends on the purpose you want
to use it for.
If you wanted to setup your box like some surfing-station in an
internet-café, you were told keep your [anonymous] user from
re-configuring the desktop, and to keep him from doing some harm on the
shell, because anything else would mean neverending labour at reverting
the tweaks the users had made.
-> how this could be achived you'll definitly be able to find somewhere
on the web, IIRC there's a 'kiosk-mode' for instance in KDE.
-->> What you must consider if you'd like to setup your private
workstation like this is, that the restrictions you've setup will hinder
your daily work, so you'll find yourself in doing daily work being
'super-user' the whole time!
If you'd like to setup a server, I'd recommend that it's serving only
one single service, anything else raises the risk of losing data because
of an exploit in a sevice that appears unimportant and is because of
that seldomly updated.
-> Because there's only one open port on it, there's no need to do
firewalling, except for special cases, see my firewalling-hint.
-->> If you can't afford this layout you've to make a compromise at
If you were responsible for a big amount of computers, each one probably
insecure, you could benefit by using a firewall.
-> you could restrict any access from the internet to these computers.
-->> Your user will very soon tell you that 'something is not working
anymore', so you'll have to loose the firewalling-rules, mostly upto
some level that would mean a total ineffectivness of the firewall!
But in the case that
-> you're having your own computers, less than a handfull of them.
-> you know of the programs you've installed on them.
-> you're the only one that's doing any work on it, or,
you trust your users, nobody will do any harm just for fun!
-> you're doing 'all days work' being some 'normal' user,
having restricted access, NOT root.
-->> (A) what you fear is, that you make some mistake and delete, for
instance, '/usr', or change by accident root's password to
-->> (B) what you fear is, that your filesystem gets damaged in an
-->> (C) what you fear is, that you delete your documents by mistake,
or your harddisk sounds weird and you have no backup,
or the backup on the old floppies proves unreadable.
-->> (D) what you fear is, that somebody bad scans your masquerading
router and finds a service you've misconfigured, e.g., X11.
-->> (E) You've to use proprietary software, and fear that there's some
trojan implemented in it.
Is this the case you're thinking about? Have I forgotten something?
--->>> This is the case where the hard labour begins: ;-)
(A+B) Think about some elaborated layout of your filesystems:
/, /bin, /dev, /etc, /lib, /sbin, /usr \
on a seperate partition, mounted read-only
/boot - " -, - " -
/home - " -, eventually mirrored
/opt, /usr/local, /usr/X11 \
- " -, mounted read-only
- " -, mounted writeable
/var, /tmp - " -, - " -
If you install any software you'll be able to remount the read-only
mounted partitions rw, remounting them ro immediately after the
installation, so your filesystem will be OK in the case of a power-failure.
If you ask which filesystems I recommend, I don't know, but I would
chose some fs thats capable of journalling for at least those that are
mounted writeable in daily use, if not for all.
BTW: You may get a simpler layout if you make intensive use of symlinks
or if you use the new Linux2.4 feature of 'mount -o bind /var/tmp /tmp'.
If you would really like to setup this layout, please ask again, I'll
tell you of my experiences in doing so, some of the bootscripts have to
(C) Do regular backup your documents, on floppies, on tapes, on your
harddisks, whatever you can afford.
If you are very conscious about your documents, encrypt the archive and
transfer it to somebody you pay for keeping it [=webspace].
(D+E) Setup your own 'personal firewall', as lined out in my hint.
These are just my EUR 0.02, I hope they do help you,
PS: excuse me for starting a new thread, but I couldn't find your first
mail as a posting in the newsgroup.
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support