Not quite. Just secure the desktops the right way

Posted Mar 16, 2004 0:59 UTC (Tue) by NZheretic (guest, #409)
In reply to: Not quite. Just secure the desktops the right way by paulj
Parent article: Mainstream means more malicious code for Linux (SearchSecurity.com)

3) The /usr partions are mounted read only
Good idea. Makes upgrades harder though

Not really, the upgrade script just remounts the /usr partition write enabled during upgrades.

and the /tmp, /home, /var directories are mounted non executable.

Hmm.. not worth much, might stop an automated worm, but otherwise noexec is worthless. If you can read data, you can execute it. (/lib/ld.so /tmp/bin).

It's actually more effective at stopping the users from "accidentally" executing downloaded scripts/binaries. To expect more than that would require a solution like SElinux's LSMs.

Ever heard of autofs? ;)

The whole point is to mount only the network filesystems required by each user on a per user/group basis.