On Sun, 30 Nov 2003 23:21:24 +0100, Miernik wrote: > On 2003-11-30, Karsten M. Self <[EMAIL PROTECTED]> wrote: >>> I recommend making it far larger than in the Debian security doc >>> though. On my servers I have /boot and /usr read-only, and I've been >> >> You can leave /boot unmounted altogether. The only times it needs to be >> accessed are: >> >> - At boot time, where access is direct to partition, and the partition >> need not be mounted (indeed, can't be). >> >> - When examining kernel config files and System maps (read-only) >> >> - When installing a new kernel (writeable) > > Show me a good reason to separete /boot to a separate partition at > all. What's the extra security we get out of this? > In /boot there are only the kernel images. System.map's, kernel > config, and GRUB config. > > All that is writable only by root anyway (perms -rw-r--r-- root.root) > If an attacker get's rights to write or change perms of files there, > he can equally easy remount the partition rw. > > So what's the point?
Elementary System Administration and Security --------------------------------------------- Lesson #1: Don't mount things not needed for the operation of the system Lesson #2: Mount things with the minimum permissions necessary for the operation of the system. Lesson #3: don't overcomplicate system administration by unnecessary duplication re. Lesson #1: /boot is not needed for the normal operation of the system, and not mounting it provides two security benefits: - it can't get accidentally or maliciously damaged - Conf files are the system admin's business only, but may be of interest to persons of malice. re. Lesson #2: - If the sysadmin just needs to see or read /boot files, mounting it ro reduces the risk of accidental or malicious damage. re, Lesson #3: - An example: I run more than one Linux instance, each with its own /. I also have several kernels. If I put /boot on its own filesystem, I don't have to duplicate it. With regard to your comment about root access: if someone gets root access, *all* your system security is fscked anyway. -- ....................paul "The average lifespan of a Web page today is 100 days. This is no way to run a culture." Internet Archive Board Chairman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
