Rootkit

[John Wendel]

Mike McCarty wrote:
> John Wendel wrote:
>>
>> While reading this thread it occurred to me that if disk drives had a 
>> read-only switch, then systems would be uncrackable. Automated updates 
>> would be impossible, but I could live with a complicated update 
>> process if it would guarantee that my programs couldn't be compromised.
>>
>> Can someone tell me why this isn't a good idea?  There must be a fatal 
>> flaw that I don't see, or else someone would be selling drives like this.
> 
> There are several possible interactions. These occur to me immediately.
> 
> First, if this were done on a disc which contained the syslogs,
> then no syslogs could be made.
> 
> Second, if this were done where mount info and so forth get stored,
> then the system couldn't boot.
> 
> Third, if this were done to a "data file only" disc, then access time
> information could not be stored.
> 
> Mike

I guess most people wouldn't want to dedicate an entire disk for this 
function, but I'm sure that the disk drive firmware could write 
protect just a portion of the drive. Maybe the first 10GB (or some 
jumper selectable size) could be read-only (with a switch).

/var needs to be on a writable partition. But there shouldn't be any 
executable files in /var. There are special filesystems ("unionfs" ?) 
that redirect writes to a read-only file to a copy of the file in a 
writable partition (I think).

/etc needs to be cleaned up so that any configuration or status files 
that require dynamic updates are stored in /var/etc. Again, maybe the 
unionfs would fix this problem.

Maybe a small ramdisk could hold the config files from /etc that need 
to change when the system boots.

I always mount my data disks with noatime and noexec. But I'm not 
really concerned with data files, just executable programs.

I suspect that all the software pieces to make this happen already 
exist, used now for live-CDS and such. Somebody just needs to make the 
read-only disk drive.

Regards,

John