multiple partitions - useful mount options for extra security

J.A. Neitzel jan.listbox at belvento.org
Mon Dec 18 11:10:29 PST 2000


On Friday 15 December 2000 15:10, Rudolf Floers gave us this to ponder:
> > well think it's a good idea to mount var, tmp and maybe home
> > rw,noexec and nodev. everything else could be mounted ro, but unless
> > you use devfs you will run into problems with /dev mounted readonly.
>
> i think it's not a good idea to use such a setup on development
> machines, but ona mail,pop3,firewall,ftp,.. server it does improve
> security. you don't want to change files in /usr so often on such
> machines.

Indeed, I do agree with you!

If only I could get a second, or third, machine... then I could *really* 
cook with all these ideas! Hmmm, *_dreaming_* ;-))

> i also like the idea to put certain, security-concerning binaries on a
> maintenance cd. you could put the mount/umount command on that cd, too.
> and then use a special mount/umount binary on your servers harddisk.
> this special mount command should only be able to mount the cd drive -
> nothing else. if you also removed all other chances to remount your
> partitions off your system (perl, for instance), even a root couldn't
> modify/delete your read-only data and couldn't upload _and_ execute his
> own stuff. (unless the maintenance cd is in the drive..., of course)

Wop! I'll take your word for it, since most of these things are either 
beyond *my* abilities or beyond my *hardware's* (no cd burner here).

But, all the same, I shall put these on my "Nifty Security Ideas" ToDo 
list.

> just an idea. :-)

Indeed, and a good one too. You idea has gotten my brain cooking on all 
sorts of possibilities! :o)
-- 
Thanks,
Jeff





More information about the lfs-security mailing list