On Sun, Oct 19, 2003 at 07:46:41PM -0400, Michael Stone wrote: > >is not a security argument. The argument must be about > >why it must *GIVEN* rw. > > No, it's an argument of efficacy. Removing rw from a mount doesn't > remove the ability to write to it for a malicious user. If it gives you > warm fuzzies, great, do it. But that's all it's going to do for you.
Let me start again. Least privilege means you start with everything blocked. Now you give the minimum rwx (and other privs) to each file or process that is needed to do the job that root or whomever is required to do. So you have to make the argument, why should w priv be *added* on the /usr mount? I'm not saying the argument can not be made, but that is the way you approach it. For security you assume a privilege is *not* allowed *unless* you can argue that it should be turned on. That is the inverse of the arguments I am reading. So start from /usr ro, and then list the reasons why it needs be rw. If there are enough and they are good enough, then allow it. Arguments of of the form "they'll come in through a different door" are not reasons for adding a privilege.
