Linux appliance?
Bill McGonigle
bill at bfccomputing.com
Wed Nov 24 21:46:00 EST 2004
On Nov 24, 2004, at 20:30, Derek Martin wrote:
> But she'll need a writable disk
> partition for storing mail related files, which introduces some
> (probably minute) measure of vulnerability. And, not being very
> familiar with knoppix, I'm not sure how you would have it
> automatically mount her home directory, except perhaps by
> custom-modifying the iso image an editing the fstab.
If you're modifying the fstab already, put a noexec mount option in
there. It'll reduce the set of vulnerabilities to the ones that can
get root and force a remount with exec.
Of course, Knoppix 20041124 ships with remote-root compromises we don't
know about yet - the flip side of this CD-R is that you *can't*
completely update the OS if you need to.
The last time I built a linux appliance, I had the boot scripts read
updates from the hard drive into the root ramdisk (RAM is cheaper than
cleaning up Mom's computer). The updates were downloaded daily. Of
course, then you need that update mechanism and you have to maintain
the update server and eventually the whole darn thing is updates if you
don't reissue a CD on a regular basis.
-Bill
----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Text: bill+text at bfccomputing.com
AIM: wpmcgonigle Skype: bill_mcgonigle
More information about the gnhlug-discuss
mailing list