Re: BoS: amodload.tar.gz - dynamic SunOS modules

[blymn () awadi com au (Brett Lymn)]

According to Piete Brooks:
> Hmm -- as I remember it from times of stress mending broken systems (so the
> old grey cells may not be all that reliable!), if / was r/o, mounts FAILED,
> unless the "-n" flag was set:
>
>       -n     Mount the file system without making an entry in /etc/mtab.

Ahhh your brain cells are better than mine.  I remember that now!
Still, if you don't have a reasonable mnttab there to start off with
then you get some weirdness with tools that use it to report things to
do with disks...

> [[ PS: Sean said "Why? If an attacker can alter your system binaries, s/he must
>                  have root privileges.  Which means s/he can also unmount the
>                  filesystems and remount them read-write."


Uhhh relying on the ro mount option is a Bad Thing (TM) IMHO.  When
people started talking write protected file systems I immediately
thought you meant _hardware_ write protect.  There are some SCSI hard
disks that have a link that will write protect the disk in hardware so
even if someone gets root on that box they cannot remount the
partitions r/w even if the "-o remount" worked and normally it does.
Another side effect of the write protection is that telnet and rlogin
will no longer work because the will not be able to allocate a pty to
talk on which is a plus on a firewall - cuts out a couple of potential
problems right away.  All this said and done, the upshot is that even
if someone gets root on the machine - where do they go?  You would be
stupid to trust this machine to any other machine on your network so
they cannot directly log in anywhere else.  They cannot install a
trojan because all the binaries are hardware write protected.  It does
make life a bit difficult ;-)

--
Brett Lymn, Computer Systems Administrator, AWA Defence Industries
===============================================================================
  "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue.