Re: Writes to mounted devices containing file-systems.

Helge Hafting (helgehaf@idb.hist.no)
Fri, 10 Aug 2001 15:23:45 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Steven Cole: "Re: Some dbench 32 results for 2.4.8-pre8, 2.4.7-ac10, and 2.4.7"
Previous message: Etienne Lorrain: "possible ip checksumming issues?"
Maybe in reply to: Richard B. Johnson: "Writes to mounted devices containing file-systems."
Next in thread: H. Peter Anvin: "Re: Writes to mounted devices containing file-systems."

"Richard B. Johnson" wrote:
>
> Is it possible that Linux could decline to write to a device that
> contains mounted file-systems? OTW, don't allow raw writes to
> devices or partitions if they are mounted; writes could only
> be through the file-systems themselves.
>
> One of my file-servers was destroyed by an in-house hacker,
> (consultant) rented by our alleged Chief Information Officer,
> to destroy Linux systems and thereby show that they can't
> be used in a "professional" environment.
[...]
> I have about 20 megabytes of logs showing the machine being
> attacked from inside our firewall.

If doing that sort of thing to a server (as opposed to some
poor test machine) is okay in your company... well consider
"testing" the security on *all* the non-linux machines as well.

There are so many exploits out there, including but not limited
to those funny email viruses - and you get to run them
from within the firewall!

[...]
> Microsoft FUD has convinced a lot of companies that they will
> be subjected to stockholder lawsuits and customer rejection if
> they use Linux or any of those "insecure" Unix-type machines.
>
> In this company, they hired a "CIO" who thinks that no computers
> should have any local storage or boot capability. They must all
> boot from some secure (M$) file-server. They will not be allowed
> to have local disks and, horrors -- of course no floppy drives or
> CD-ROMS.
>
> He doesn't care that we are in the business of making software-driven
> machines so we require access to the guts of computers and their
> operating systems.

Looks like this business is going to fail soon enough...
Start looking for other employment - avoid the rush when
it collapses.

> Linux development needs to know about the "big lie" method of
> forcing everybody to use what big companies (or the government)
> want you to use. Think, for a minute, about what "everybody knows".
>
> "Everybody knows" relates to something that is so commonly accepted
> that nobody bothers to check if it's true or not.
>
> Everybody knows:
> "global warming..."
> "greenhouse gasses..."
> "asbestos as a carcinogin..."
> "etc..."
>
> The next one will be:
>
> "Linux is insecure..."
>
> So, if it is at all possible to help improve its security without
> hurting its performance very much, it's really a matter of life-or-
> death for Linux. Otherwise "they" will get us.

Now, if you want a safe machine in such a hostile environment,
consider using a read-only boot device. I.e. a cdrom, or
a harddisk jumpered read-only after the initial configuration.
You can then boot fast, and have work files on their secure server.

Helge Hafting
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Cole: "Re: Some dbench 32 results for 2.4.8-pre8, 2.4.7-ac10, and 2.4.7"
Previous message: Etienne Lorrain: "possible ip checksumming issues?"
Maybe in reply to: Richard B. Johnson: "Writes to mounted devices containing file-systems."
Next in thread: H. Peter Anvin: "Re: Writes to mounted devices containing file-systems."