Life in an insecure world
John Watlington
wad at laptop.org
Mon Feb 9 20:00:29 EST 2009
Thanks for the discussion, but I agree with Scott's
"what root can do, root can undo".
I brought up "rm -f /*" in the context of illustrating that the worst
you
can do in Linux doesn't compare with enabling security from OFW.
If anyone insists on continuing this thread,
there are a number of questions raised by providing
direct access to the 'rm' command. Unlike any user friendly
OS, in UNIX this command is final...
Cheers,
wad
On Feb 9, 2009, at 6:07 PM, Martin Langhoff wrote:
> On Tue, Feb 10, 2009 at 11:31 AM, C. Scott Ananian
> <cscott at laptop.org> wrote:
>>> Do you mean having it on a separate partition? How do you decide
>>> space
>>> dedicated to the partition?
>>
>> No, you can bind-mount subtrees read-only.
>
> But then, it still has to reside somewhere in the / filesystem. And
> that somewhere will get nuked...
>
> Am I missing some cunning step? My stupid test seems to indicate that
> a simple mount won't protect us...
>
> $ sudo mkdir -p /secret/path/to/versions
> $ sudo touch /secret/path/to/versions/afile
> $ sudo mkdir /versions
> $ sudo mount -o ro,bind /secret/path/to/versions /versions
> $ ls /versions
> afile
> $ sudo rm -fr /secret
> $ ls /versions
> $ uname -a
> Linux martin-onyx 2.6.27-11-generic #1 SMP Thu Jan 15 11:03:58 UTC
> 2009 i686 GNU
> /Linux
>
>
>
> m
> --
> martin.langhoff at gmail.com
> martin at laptop.org -- School Server Architect
> - ask interesting questions
> - don't get distracted with shiny stuff - working code first
> - http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Devel
mailing list