On Mon, May 31, 2004 at 03:47:14PM +0100, Barry Flanagan wrote:
> If the entire network is compromised then game over, sure.
If you NFS mount your /usr for several machines from one machine, then
it's "if that one machine is compromised then game over". That's hardly
defense in-depth. It's a perfectly valid trade-off, but it increases
your exposure to some security problems and decreases to others and it's
certainly less ductile with a pretty ugly failure-mode.
I certainly wouldn't regard it as "more secure".
> What I contend is that by having a ro NFS mounted /usr (as well as
> other sensible filesystem precautions) you are greatly reducing the
> chances of that happening.
>> I am a great believer in multiple lines of defence, and this is surely
> one of them.
I don't see how. If the local machine is rooted, you arnt preventing
anything there. A would-be attacker who now has root can just as easily
mount a new directory over /usr/sbin/ for example - so I don't see what
it has gained you there. And now if your central host is compromised
- boom go them all, rather than just one box in the non-NFS model - so
you've lost a whole ton there.
Now where it does give you a security gain is the ability to update
critical binaries on many machines in one go. But there are better ways
to do that that don't involve a massive dependency in the middle of your
Then obviously there are other factors that might make it worth the
trade-off, such as the savings in disk space , ease of backups and
consistency and so on. But it's still the opposite of the defence in
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!