On 2024/03/24 19:01:00 -0700, "Lyndon Nerenberg (VE7TFX/VE6BBM)" <[email protected]> wrote: > I am curious to hear peoples thoughts on adding some mount(2) > hardening when the system is running at securelevel 2. Specifically: > > * do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID, > or MT_RDONLY in conjunction with MNT_UPDATE > > * do not allow MNT_WXALLOWED in conjunction with > MNT_UPDATE > > Currently, if someone does manage to get a root toehold on a host, > they can remove noexec from /tmp as a possible springboard to upload > nasties, and then change /usr from read-only to read-write and > scribble all over your binaries.
or they can just upload to /usr/local or /home, or mess with /etc, or... I don't see how this would help. > This somewhat follows from how securelevel 1 removes the ability > to muck with the immutable and append only bits on files. > > --lyndon
