[ILUG] History of /etc ?

[Colm MacCarthaigh]

On Mon, May 31, 2004 at 03:47:14PM +0100, Barry Flanagan wrote:
> If the entire network is compromised then game over, sure. 

If you NFS mount your /usr for several machines from one machine, then
it's "if that one machine is compromised then game over". That's hardly
defense in-depth. It's a perfectly valid trade-off, but it increases
your exposure to some security problems and decreases to others and it's
certainly less ductile with a pretty ugly failure-mode.

I certainly wouldn't regard it as "more secure".

> What I contend is that by having a ro NFS mounted /usr (as well as
> other sensible filesystem precautions) you are greatly reducing the
> chances of that happening.
> 
> I am a great believer in multiple lines of defence, and this is surely
> one of them. 

I don't see how. If the local machine is rooted, you arnt preventing
anything there. A would-be attacker who now has root can just as easily
mount a new directory over /usr/sbin/ for example - so I don't see what
it has gained you there. And now if your central host is compromised
- boom go them all, rather than just one box in the non-NFS model - so
you've lost a whole ton there.

Now where it does give you a security gain is the ability to update
critical binaries on many machines in one go. But there are better ways
to do that that don't involve a massive dependency in the middle of your
machines.

Then obviously there are other factors that might make it worth the
trade-off, such as the savings in disk space , ease of backups and
consistency and so on. But it's still the opposite of the defence in
depth model.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net