Subject: Re: Preventative security features?
To: Tim Kelly <hockey@dialectronics.com>
From: Brett Lymn <blymn@baesystems.com.au>
List: tech-security
Date: 11/14/2004 22:22:57
On Sat, Nov 13, 2004 at 09:31:30PM -0500, Tim Kelly wrote:
>
> Just as a reminder, /tmp, /var, /home, and /root are on the same
> partition as / in the default install. While most people will have their
> own partitioning scheme, I feel that the default partition scheme should
> be a good option out of the box.
>
ok - and just as an ambit claim, I believe that /usr should be added in
there. For most machines I can see little point in going past having
two partitions: / and swap. I say MOST here - for specific function machines
like firewalls and such separating out, say, /var for logs would be a good
idea.
> I offer the following for discussion as a default scheme
>
I don't like it, no sir I don't think I do. After suffering the pain
of having to totally repartition machines during an upgrade quite a few
times, lots of little partitions for no real purpose just fills me
with apprehension. People claim it is "more secure" but the arguments
are not really convincing.
> /var mounted as a write-only partition
neat, that one - I'm sure noone will be able to snoop data there.
>
> These do reflect some influence by OpenBSD, although not exclusively.
>
not necessarily a good model to follow, they did not have much choice
other than partition up because their bootloader did not support bigger
than 8Gig root partitions until recently.
> They may also be consistent with general practices.
>
No, not really. Certainly the default install from Sun these days is for
one partition and swap.
>
> The read/write
> only permissions should be set in the default installation and the user
> should be required to learn about kernel security levels in order to
> make changes, even to install packages in /usr,
>
No, that is entirely the wrong attitude to take - forcing people to learn
something will make them reach for fedora core 3, to me it seems like
you are proposing a puzzle to check if someone is worthy of running
NetBSD, that will turn people off big time.
>
> >From the new user's perspective, it is a preventative
> measure that will help secure the installation, encourage learning, and
> prevent seriously screwing up the installation
>
What is wrong with seriously screwing up the installation? Screwing things
up can help you learn things (like the value of backups...) and it is
hardly likely that the machine will be of any consequence if you have
access to it unsupervised if you don't have the appropriate level of
experience. Trying to be ingenious and prevent screwups just breeds
more ingenious screwer-uppers.
> (as I did recently when I
> accidentally blew away my /etc on RC2 with an RC4 "reinstall sets"
> instead of an upgrade and found myself locked out as root from my serial
> console with no users to su from, I spend most of my time in hardware
> interfacing, not OS administration, so not everyone using NetBSD is an
> experienced BSD user).
>
ok - so you shot yourself in the foot... "oops", the machine was hardly
far from salvagable. I have heard of far worse errors.
> No one will complain about making it easier to install NetBSD, which is
> certainly consistent with "security without the hype."
>
Lots of people may just complain about making it harder to use NetBSD
which is what you are proposing, you would not be able to add a user without
a remount rain-dance, or change a password (or are you going to put that in
/var... what happens if that gets blown away?). How many times do you think
that will happen before / just gets mounted rw?
--
Brett Lymn