Date: Thu, 30 Dec 1999 23:40:00 -0600 (CST) From: Joe Greco <jgreco@ns.sol.net> To: freebsd@gndrsh.dnsmgr.net Cc: freebsd-security@freebsd.org Subject: Re: Mounting / Read-Only Message-ID: <199912310540.XAA51399@aurora.sol.net>
index | next in thread | raw e-mail
"Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> writes: > On Tue, 28 Dec 1999, Rodney W. Grimes wrote: > > > On Tue, 28 Dec 1999, Spidey wrote: > > > > I was also wondering... If we can modify the status (RW/RO) of a > > > > mounted filesystem (/ included) with mount -u, why bother? :)) > > > > > > > > What is the purpose of mounting a filesystem ReadOnly, since it can be > > > > disabled? Does it serve the same function as the schg flag? I think > > > > the securelevel does not change this behavior, right? > > > > > > Mounting a filesystem read-only is not a security measure. > > I disagree, mounting a filesystem read-only _is_ a security measure, it > > can prevent certain attacks that may not have compromised root, but > > say they did manage to compromise something that would allow them to > > write a file in /usr/bin, if /usr/bin/ is read-only the are SOL, if > > it is r/w they be having root in a few minutes... > > Not really. If anyone other than root can write to /bin, /usr/bin, or any > other directory containing binaries root might run, then your permissions > are set up incorrectly. And if I manage to clobber a file using ill-gained root privilege, then I win. Would you like to know how many security issues I've tracked back to files getting clobbered via some root privilege hole? _Most_ of them. > > ls -la /usr/bin |head > total 14697 > drwxr-xr-x 2 root wheel 6656 Dec 17 22:06 . > drwxr-xr-x 20 root wheel 512 Dec 2 10:05 .. > -r-xr-xr-x 3 root wheel 68076 Dec 2 02:46 CC > -r-xr-xr-x 2 root wheel 64876 Dec 2 02:50 Mail > -r-xr-xr-x 1 root wheel 99254 Dec 2 02:48 a2p > -r-xr-xr-x 1 root wheel 36992 Dec 2 02:46 addftinfo > -r-xr-xr-x 14 root wheel 50928 Dec 2 02:50 addr2line > -r-xr-xr-x 1 root wheel 5184 Dec 2 02:50 apply > -r-xr-xr-x 2 root wheel 2245 Dec 2 02:46 apropos > > All binaries have write permissions turned off, root owns all binaries, > and only root can write to the directory. The only thing read-only > mounting the filesystem protects you from is someone who's found a hole > that lets him write arbitrary data as root at an arbitrary point on the > filesystem, and by that point I'd be willing to bet that you've already > lost, since he can probably nail /etc/swpd.db, /etc/rc, or any number of > other things. We were originally discussing / read-only, which kinda exempts things in /etc from being vulnerable. > schg flags and securelevels are your friends when it comes > to protecting binaries and configuration data. Protecting the password > file is a bit trickier... I guess there is no substitute for a thorough > code review. Protecting the password file isn't tricky, if you don't need it to change very often. :-) I schg very large portions of a system by default, on the basis that I really don't want it to change unless I go dink with the machine on the console. This is not mutually incompatible with ro mounts, however. ro mounts may be an option for a filesystem where you normally want the entire thing to be frozen, but you may wish to make changes while in multiuser mode (something you can't do with schg). schg has much finer-grained control over individual files, but is hell if you really need to change a file on a running system without rebooting. Both will protect you from overwrite-via- root-privilege-hole exploits. ro won't protect you if they actually gain a root shell. A well-implemented schg strategy will make life hell for an intruder, possibly at the risk of making life difficult for the admin. And using both together provides additional layers of frustration for any would-be hacker. If you want to talk paranoia and layers of frustration, this shell server I'm on: Diskless boots off of a NFS server that is protected up the wazoo, Mounts its filesystems RO, The NFS server exports its filesystems RO, and the underlying filesystems are mounted RO, and the files are _still_ schg protected. I do not have many fears of people overwriting my binaries, but running tripwire periodically is still smart. I resisted the temptation of wiring the RO jumper on the hard drive to a switch on the panel. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912310540.XAA51399>