> Simple approxmation to this: make /usr a separate partion, and mount it > read-only: > > * The good news: attackers that want to trojan your software have to > reboot, at least. > * The bad news: administrators that want to update your software > have to reboot, at least. No reboot is required, you just need to remount it: # mount -o remount,rw /usr This requires root access, but presumably /usr is safe from non-root users anyway. Only way to disable this is to have the kernel compiled with something that compartmentalizes capabilities (LIDS/etc on Linux for example) or to remove CAP_SYS_ADMIN with lcap, which would definately require a reboot, and possibly break some other functionatily to boot. (Pun intended. My apologies.) -- Brian Hatch "Are you expected?" Systems and "No. Dreaded." Security Engineer www.hackinglinuxexposed.com Every message PGP signed
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 13:26:47 PDT