LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] History of /etc ?

[ILUG] History of /etc ?

Colm MacCarthaigh colm at stdlib.net
Mon May 31 16:10:48 IST 2004 

On Mon, May 31, 2004 at 03:47:14PM +0100, Barry Flanagan wrote:
> If the entire network is compromised then game over, sure. 

If you NFS mount your /usr for several machines from one machine, then
it's "if that one machine is compromised then game over". That's hardly
defense in-depth. It's a perfectly valid trade-off, but it increases
your exposure to some security problems and decreases to others and it's
certainly less ductile with a pretty ugly failure-mode.

I certainly wouldn't regard it as "more secure".

> What I contend is that by having a ro NFS mounted /usr (as well as
> other sensible filesystem precautions) you are greatly reducing the
> chances of that happening.
> 
> I am a great believer in multiple lines of defence, and this is surely
> one of them. 

I don't see how. If the local machine is rooted, you arnt preventing
anything there. A would-be attacker who now has root can just as easily
mount a new directory over /usr/sbin/ for example - so I don't see what
it has gained you there. And now if your central host is compromised
- boom go them all, rather than just one box in the non-NFS model - so
you've lost a whole ton there.

Now where it does give you a security gain is the ability to update
critical binaries on many machines in one go. But there are better ways
to do that that don't involve a massive dependency in the middle of your
machines.

Then obviously there are other factors that might make it worth the
trade-off, such as the savings in disk space , ease of backups and
consistency and so on. But it's still the opposite of the defence in
depth model.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell