Re: audit failed writes to read-only file-system?

From: Dustin Puryear (dpuryear@usa.net)
Date: 02/28/02

Next message: Frank Thyes: "Re: Number of Compromised Hosts"

Previous message: Philip J. Koenig: "Re: Microsoft watching us watch DVD movies (was: Microsoft finally)"
In reply to: Bear G: "Re: audit failed writes to read-only file-system?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: dpuryear@usa.net (Dustin Puryear)
Date: Thu, 28 Feb 2002 16:02:20 GMT

On Wed, 27 Feb 2002 22:55:29 GMT, Bear G <afu@coyotesong.com> wrote:
>fastest way to be called a fool is to make blanket statements like that.
>:-)
>The problem is that you need to keep /etc writable, but if you make /etc
>a
>separate partition then it's not mounted when the kernel updates some
>key files on it.
>
>As for making /usr read-only, this is only marginally useful since
>any attacker can easily remount /usr. The same criticism applies to
>the ext2 immutable bit. These practices are more useful as a speed
>bump to prevent you from making a stupid mistake than to stop anyone
>but a wannabe attacker.

Well, here is the deal. I am running a web cluster with n web servers
seved by several database servers. The web servers are running Apache
and PHP. Now, I'm not too concerned with Apache, but I am concerned
with both PHP and the actual PHP application being used by an
attacker. So, one of first goals is to hinder easy file modification.
Another option I have considered is to set Apache in a chroot
environment, which would be helpful as well. Unfortunately, configure
for Apache 1.3.x doesn't seem to give me a chroot option despite some
HOWTO's that I have read.

So, mounting / and /usr read-only was really just another "speed
bump," as you refer to it. My only concern is that I would then be
unable to detect real attacks.

Regards, Dustin

---
Dustin Puryear <dpuryear@usa.net> 
Information Systems Contractor
http://members.telocity.com/~dpuryear
PGP Key available at http://www.us.pgp.net
In the beginning the Universe was created. 
This has been widely regarded as a bad move. - Douglas Adams

Next message: Frank Thyes: "Re: Number of Compromised Hosts"
Previous message: Philip J. Koenig: "Re: Microsoft watching us watch DVD movies (was: Microsoft finally)"
In reply to: Bear G: "Re: audit failed writes to read-only file-system?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: PHP Design tools? IDE?
... > designed for languages such as Java which have web servers which behave ... With Apache you can have a URL that says ... You are complaining about the performance cost of reading a file like: ...
(comp.lang.php)
Writing secure PHP programs
... Subject: Writing secure PHP programs ... For the next revision of my freely-available secure programming book ... the program takes special care to override the attacker. ... For example, for Apache, you could insert these lines into the file .htaccess ...
(SecProg)
Re: [9fans] plan9 httpd/pegasus on unix?
... I run my web site on plan9. ... all the security warnings that come with apache, php, and all the ... other little bits that go with *nix web servers, I feel like I made an ... were running php x.y.4 and you need to run x.y.5". ...
(comp.os.plan9)
Re: [PHP] Keeping sessions
... I know this is a PHP and not an Apache list but maybe someone is doing this with web hosting... ... That doesn't change the fact that Apache does not get involved in sessions. ... Users's session must be persistent in all cases: web server down, user jumpig between backend web servers, etc ...
(php.general)
Help with php5 install under windows
... This includes moving php from the ... Enable the PHP scripting language engine under Apache. ... or per-virtualhost web server configuration file. ... The PHP directives register_globals, ...
(php.general)