[TUHS] /usr separation

Steve Nickolas usotsuki at buric.co
Thu Feb 25 06:25:52 AEST 2021


On Wed, 24 Feb 2021, Theodore Ts'o wrote:

> On Wed, Feb 24, 2021 at 10:50:03AM -0700, Grant Taylor via TUHS wrote:
>> Being a fan of the golden rule, I would not make, much less use, that
>> derivation.  I think it completely changes the meaning of the spirit behind
>> the golden rule.
>
> Oh, sure.  I agree completely that it's 180 degrees from the original
> golden rule; it had intended to be a joke.  Unfortunately, years of
> living in a country whre the ones with the Gold really do make all of
> the Rules has gotten me to the point where if I don't laugh at it, I
> would have to cry....

I first heard this form used in the movie "Aladdin" (the 1992 Disney one, 
with Robin Williams).

>> I seem to recall hearing about a problem where a rogue rm could accidentally
>> wipe out part of the UEFI.  Maybe it was the contents of the /boot/efi
>> partition.  So, I'd suggest a happy medium of mounting it Read-Only.  That
>> way it's known to be used /and/ it's protected from a simple rogue rm.  It
>> can relatively easily be re-mounted as Read-Write when necessary.  As well
>> as subsequently re-mounted back to Read-Only.

<snip>

> As far as making a system more robust against rogue rm's, I really
> like scheme used by ChromeOS, where the entire file system is not only
> read-only, but protected by a cryptographic Merkle Tree such that if
> malware attempts to modify it, the system will crash.  This is
> combined with firmware which will only load a kernel with a valid
> digital signature, and the user data is stored on an encrypted file
> system mounted on /mnt/stateful_partition and it is the only file
> system mounted read/write on a ChromeOS system.  It violates a lot of
> expectations about where files should live on a "normal" Unix or Linux
> system, but it's defnitely way more safe and secure.

It may not be as much of a protection, but I replaced the system rm on my 
Debian with one based on 4.4BSD (since I already had the code lying 
around) to which I added a bit of protection against attempts to "rm -rf 
/" after a worm got in and ran an obfuscated version of that...thankfully 
it didn't run as the superuser.

I do get occasional "invalid switch" errors from it while using apt, so it 
probably uses a gnuism (since afaict, the code I used was strictly 
conformant to Posix). Otherwise, it hasn't caused any issues.

-uso.


More information about the TUHS mailing list