Rootkit
John Wendel
john.wendel at metnet.navy.mil
Mon Oct 22 23:54:54 UTC 2007
Mike McCarty wrote:
> John Wendel wrote:
>>
>> While reading this thread it occurred to me that if disk drives had a
>> read-only switch, then systems would be uncrackable. Automated updates
>> would be impossible, but I could live with a complicated update
>> process if it would guarantee that my programs couldn't be compromised.
>>
>> Can someone tell me why this isn't a good idea? There must be a fatal
>> flaw that I don't see, or else someone would be selling drives like this.
>
> There are several possible interactions. These occur to me immediately.
>
> First, if this were done on a disc which contained the syslogs,
> then no syslogs could be made.
>
> Second, if this were done where mount info and so forth get stored,
> then the system couldn't boot.
>
> Third, if this were done to a "data file only" disc, then access time
> information could not be stored.
>
> Mike
I guess most people wouldn't want to dedicate an entire disk for this
function, but I'm sure that the disk drive firmware could write
protect just a portion of the drive. Maybe the first 10GB (or some
jumper selectable size) could be read-only (with a switch).
/var needs to be on a writable partition. But there shouldn't be any
executable files in /var. There are special filesystems ("unionfs" ?)
that redirect writes to a read-only file to a copy of the file in a
writable partition (I think).
/etc needs to be cleaned up so that any configuration or status files
that require dynamic updates are stored in /var/etc. Again, maybe the
unionfs would fix this problem.
Maybe a small ramdisk could hold the config files from /etc that need
to change when the system boots.
I always mount my data disks with noatime and noexec. But I'm not
really concerned with data files, just executable programs.
I suspect that all the software pieces to make this happen already
exist, used now for live-CDS and such. Somebody just needs to make the
read-only disk drive.
Regards,
John
More information about the fedora-list
mailing list