On 2004.07.14 08:33:51 +0000, Steven M. Bellovin wrote:
> You and Andrew make good points about special cases.  I should amend my 
> suggestion: does MFS make sense for /tmp on ordinary machines?
I don't really know if what I'm going to say has already been said. Sorry for
that. 
Anyway, most of the backdoors are stored on /tmp which is a world writable
directory and forensics analysis (data contraception) rely on physical data 
(hard disk) not being 100% synchronized with the file system virtual layer. 
By using some tools, we are able to get some information about deleted files 
and directories which, some bits, are still in the physical disk layer.
By making /tmp a mfs, every file (including backdoors) will never reach the hard
disk destroying any forensics evidence that could be gained that way.
For performance, a mfs /tmp is really good. But for security it's very bad.

There an intresting article on the just-out phrack #62 by grugq about 
remote execution without writting anything to the disk:
http://phrack.org/phrack/62/p62-0x08_Remote_Exec.txt

-- 
  "Simplicity is the ultimate 
    sophistication." 
    -- Leonardo da Vinci