Dave Sherohman <esper at sherohman.org> writes: > On Fri, Mar 22, 2002 at 09:15:40AM -0600, John J. Trammell wrote: > > - have /bin, /etc, /sbin, and /usr on read-only media (CD-R?) > > - have /home, /root, and /var on disk (maybe as little as 2 Gb?) > > In the event of problems, you could have a bit of trouble getting the > machine back up to fix it if /bin, /etc, /sbin, /lib, and /root > aren't all on the root partition. > > Also, if /bin, /sbin, /lib, and/or /usr are on read-only media, you > can't update software as security patches are released. Granted, an > intruder won't be able to plant trojaned binaries, but they'll still > be able to trash /home and /var. I know sysadmins who have hacked a hardware write-protect switch for SCSI drives. It lets them have critical binaries on physically-protected read-only media, and still update them. To be really safe, you can't do the update remotely though, since a true paranoid would disconnect the network and reboot (from the read-only media) before enabling write. Can this be done for IDE? Maybe an adapter that plugs between the drive and the cable and has the switch on it? I have no idea what the lines in the cable are. -- David Dyer-Bennet, dd-b at dd-b.net / Ghugle: the Fannish Ghod of Queries John Dyer-Bennet 1915-2002 Memorial Site http://john.dyer-bennet.net Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ Photos: http://dd-b.lighthunters.net/