Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: gabriel rosenkoetter (greclipsed.net)
Date: Tue Jul 10 2001 - 17:32:02 CDT
On Tue, Jul 10, 2001 at 10:01:33PM +0200, Emmanuel Dreyfus wrote:
> You may want to setup a firewall or sniffer with the filesystem mounted
> read-only and securelevel=2, or even with a read-only boot media (hard
> disk write protected using a jumper, CDROM, or why not just an EPROM if
> we are running on an embeded device?), so that if it is compromised you
> remain absolutely certain that rebooting the system will bring back a
> clean state.
If you're going to that much trouble, couldn't you just hack sshd
slightly for your specific set up to not care about pty ownership?
For that matter, for a firewall, how about allowing ssh to the
machine as root, but only ever do it with public/private key
authentication from a machine inside the FW?
(I'm playing devil's advocate here. I actually like /dev-on-mfs
most. Is there some reason /dev *must* be ro?)
-- ~ g r eclipsed.net