From owner-freebsd-security Tue Dec 28 12: 1:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id D239214F3F for ; Tue, 28 Dec 1999 12:01:31 -0800 (PST) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm1-38.vpop1.avtel.net [207.71.237.88]) by beach.silcom.com (Postfix) with ESMTP id 6BF6A145720; Tue, 28 Dec 1999 12:00:58 -0800 (PST) Date: Tue, 28 Dec 1999 12:00:57 -0800 (PST) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: "Rodney W. Grimes" Cc: Spidey , freebsd-security@FreeBSD.ORG Subject: Re: Mounting / Read-Only In-Reply-To: <199912281930.LAA70952@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Dec 1999, Rodney W. Grimes wrote: > > On Tue, 28 Dec 1999, Spidey wrote: > > > > > I was also wondering... If we can modify the status (RW/RO) of a > > > mounted filesystem (/ included) with mount -u, why bother? :)) > > > > > > What is the purpose of mounting a filesystem ReadOnly, since it can be > > > disabled? Does it serve the same function as the schg flag? I think > > > the securelevel does not change this behavior, right? > > > > Mounting a filesystem read-only is not a security measure. > I disagree, mounting a filesystem read-only _is_ a security measure, it > can prevent certain attacks that may not have compromised root, but > say they did manage to compromise something that would allow them to > write a file in /usr/bin, if /usr/bin/ is read-only the are SOL, if > it is r/w they be having root in a few minutes... Not really. If anyone other than root can write to /bin, /usr/bin, or any other directory containing binaries root might run, then your permissions are set up incorrectly. > ls -la /usr/bin |head total 14697 drwxr-xr-x 2 root wheel 6656 Dec 17 22:06 . drwxr-xr-x 20 root wheel 512 Dec 2 10:05 .. -r-xr-xr-x 3 root wheel 68076 Dec 2 02:46 CC -r-xr-xr-x 2 root wheel 64876 Dec 2 02:50 Mail -r-xr-xr-x 1 root wheel 99254 Dec 2 02:48 a2p -r-xr-xr-x 1 root wheel 36992 Dec 2 02:46 addftinfo -r-xr-xr-x 14 root wheel 50928 Dec 2 02:50 addr2line -r-xr-xr-x 1 root wheel 5184 Dec 2 02:50 apply -r-xr-xr-x 2 root wheel 2245 Dec 2 02:46 apropos All binaries have write permissions turned off, root owns all binaries, and only root can write to the directory. The only thing read-only mounting the filesystem protects you from is someone who's found a hole that lets him write arbitrary data as root at an arbitrary point on the filesystem, and by that point I'd be willing to bet that you've already lost, since he can probably nail /etc/swpd.db, /etc/rc, or any number of other things. schg flags and securelevels are your friends when it comes to protecting binaries and configuration data. Protecting the password file is a bit trickier... I guess there is no substitute for a thorough code review. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message