Date: Tue, 28 Dec 1999 11:30:34 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: brian@CSUA.Berkeley.EDU (Brian W. Buchanan) Cc: beaupran@iro.umontreal.ca (Spidey), freebsd-security@FreeBSD.ORG Subject: Re: Mounting / Read-Only Message-ID: <199912281930.LAA70952@gndrsh.dnsmgr.net> In-Reply-To: <Pine.BSF.4.10.9912281117240.46739-100000@smarter.than.nu> from "Brian W. Buchanan" at "Dec 28, 1999 11:19:42 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 28 Dec 1999, Spidey wrote: > > > I was also wondering... If we can modify the status (RW/RO) of a > > mounted filesystem (/ included) with mount -u, why bother? :)) > > > > What is the purpose of mounting a filesystem ReadOnly, since it can be > > disabled? Does it serve the same function as the schg flag? I think > > the securelevel does not change this behavior, right? > > Mounting a filesystem read-only is not a security measure. I disagree, mounting a filesystem read-only _is_ a security measure, it can prevent certain attacks that may not have compromised root, but say they did manage to compromise something that would allow them to write a file in /usr/bin, if /usr/bin/ is read-only the are SOL, if it is r/w they be having root in a few minutes... > It gains you > nothing if root is compromised. But it gains you a lot if it defeats them from getting root. From someone who almost always runs /usr RO.... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912281930.LAA70952>