Warning: long but informative. Trusting your mounted CDROM for critical data may not be such a good idea. If an attacker gets root they can do funky things to subvert it to varying degrees (depends on how careful you are).
> Rob 'Feztaa' Park wrote: > > > Or you could just set the file(s) immuteable flag with 'chattr -i', and > > the file cannot be changed or deleted. > > If it can be set, it can be unset. On a CDROM its on a read only > filesystem. Actually, I can mount a writeable filesystem overtop an arbitrary directory (especially if you have loopback filesystem enabled in the kernel or a loadable module =). [root@bigstick root]# mount -t iso9660 /dev/cdrom /mnt/cdrom/ [root@bigstick root]# cd /mnt/cdrom/RedHat/RPMS/ [root@bigstick RPMS]# ls 4Suite-0.10.1-1.i386.rpm a2ps-4.13b-13.i386.rpm alchemist-0.16-3.i386.rpm anacron-2.3-16.i386.rpm anonftp-4.0-4.i386.rpm apache-1.3.19-5.i386.rpm [root@bigstick root]# cd ~ [root@bigstick root]# insmod loop Using /lib/modules/2.4.9-13/kernel/drivers/block/loop.o [root@bigstick root]# dd if=/dev/zero of=loopback-filesystem bs=1024 count=1024 1024+0 records in 1024+0 records out [root@bigstick root]# losetup /dev/loop0 /root/loopback-filesystem [root@bigstick root]# mkfs -t ext2 /dev/loop0 mke2fs 1.23, 15-Aug-2001 for EXT2 FS 0.5b, 95/08/09 Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 128 inodes, 1024 blocks 51 blocks (4.98%) reserved for the super user First data block=1 1 block group 8192 blocks per group, 8192 fragments per group 128 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 38 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@bigstick root]# mount -t ext2 /dev/loop0 /mnt/cdrom/RedHat/RPMS/ [root@bigstick root]# cd /mnt/cdrom/RedHat/RPMS/ [root@bigstick RPMS]# ls -la total 15 drwxr-xr-x 3 root root 1024 Dec 19 21:35 . drwxr-xr-x 4 root root 2048 Apr 8 2001 .. drwxr-xr-x 2 root root 12288 Dec 19 21:35 lost+found [root@bigstick RPMS]# I would now rmdir lost+found and copy in all my "special" rpm files at this point =). Same goes for a cdrom with protected database on it (hint: use the tripwire features to encrypt your database and keep the passphrase secret! Also consider using a multiple part passphrase shared among people so no single person can subvert it). Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/