On Wed, May 01, 2002 at 10:15:45AM +0200, Andi Kleen wrote: > > It's still useless. As long as you have access to /dev/mem you can > patch kernel code which eventually leads to being able to access > raw disks (just load your own driver, not very difficult). wrong again, revoke CAP_SYS_RAWIO and you can no longer access /dev/*mem /proc/kcore etc. > When you disable /dev/mem e.g. your X server stops working. the places where you are going to use immutable bits and hardening things down with capabilities is not GUI workstations, its text only firewalls and such. my firewall has been running for around a year now with access to /dev/*mem and module insertion completly disabled without any breakage. > Even when you disable /dev/mem there are often other ways to access > kernel memory as root, e.g. often drivers have some mainteance ioctls > that can be used to trick some hardware into doing DMA from/to your > buffer. As soon as you can do DMA you have full access to all memory, > equivalent to /dev/mem. now you're going into the realm of `you can't have 100% security so lets not bother trying' > There are good reasons linux never implemented the BSD security level > concept 2.0 did implement it. > (it was briefly there in 2.0, but dropped because it was showed to be > useless). It's also the reason why few people use the existing linux it was not dropped it was obsoleted by capabilities, but capabilities have not been fully completed to match the securelevel abilities. > capabilities BTW. With some creativity most capabilities can be used > to eventually access memory or change raw disk, and that leads to > "super root". see above about 100% security and not bothering to try. we may as well say `there will always be security bugs in software and so on, so lets just forget it and chmod -R 6777 /' of COURSE there is no such thing as 100% security, no matter how much you harden a box there is probably still some obfuscated way to crack it. the POINT is to make it more *difficult* to crack the box, more difficult, time consuming, etc. that extra PITA you add to a security sensitive box is quite likly to cause the attacker to say `fuck it' and move on to a nice easy default redhat. or at the very least delay things long enough for the attentive admin to notice some shady crap going on before serious damage is already done. > > noatime is not that useful IMO, if your worried about atime updates > > there is a mount option, agreed on S(ync). > > It is useful for crontab on laptops for example to prevent the disk > spinning up just for the inode flush. noatime is too big a sledgehammer. on a laptop you need to use the noatime mount option to cover the entire filesystem, running around adding a bit to every file that might be accessed to avoid disk spinup is insane. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp00001.pgp
Description: PGP signature