trying out older (read-only, noexec, mount) security methods

[Tim]

Tim:
>> Are there any known, current, problems with mounting certain things as
>> read-only or noexec to minimise harm?  Such as making /tmp and /home
>> noexec?  Or /usr read-only?  Or any other suggestions?

James Wilkinson:
> I've got /tmp mounted nodev,noexec (and should probably mount /var the
> same way).

Well, I've found my first problem:  Mounting /var with "noexec" means
that CGI scripts won't run for the web server.  Took me a few minutes of
headscratching to realise what had gone wrong, as is the way when the
problem happens some time after a change.  I've temporarily removed
"noexec" while I consider if I should move the /var/www/cgi-bin/
directory out of /var.

> A read-only /usr sounds like more trouble than it's worth: it *will*
> break yum updates. So you'll have to regularly remount it read-write
> (while the system's on-line) to update the machine.

Yes, that had been on my mind.  I don't know if anything else writes to
it.  If the updates were less frequent I might be more inclined to try
making it read-only.  Of course, I could automate things by using a
script to remount it as writable, run YUM, then remount as read-only.
Then, I'd only have one thing to do.

Naturally, I realise that the moment I've got FC4 running pat, it'll be
outdated and I'll have to start over again with FC5.

-- 
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.