UNIX for Advanced & Expert Users

i am not quite sure what the purpose of mounting a filesystem that is already mounted.. i know you may want to mount /usr read only but do not know the true purpose behind this.. and why would /proc be mounted on /proc itself.. this is all new to me.. I have been reading up on it from various sources one of which is Rute Tutorial and Expo by Paul Sheer..(excellent book). but I am not quite understanding the concept.
moxxx68
ps this book can be viewed freely on www.freeprogrammingresources.com under books along with many books.

You can re-mount the /usr filesystem read-only (or indeed set it up in /etc/fstab with the "ro" option so it happens automatically). Doing so is a good security measure where several clients can all mount a central /usr partition over NFS and thus not have to worry about updating binaries on all systems - just update the central /usr filesystem and all the other clients will be using these updated binaries - because it is mounted read-only clients will not be able to change any of the contents of /usr - something they generally won't need to do anyway.

As for /proc - this is not a "true" filesystem - rather it is a psuedo filesystem generated dynamically by the kernel to display system information.

Cheers
ZB

is it worth my while to mount /usr ro for security measures now that I am accessing remote servers and accounts through ftp and ssh.. and I bring this up because i have virtually no controlled security of any type like firewalls or virus detection on my system.. would this be advisable or unnecessary. it would seem that it would be a bit tedious to have to remount rw to add binaries and utilities in my /usr/local and /usr/bin and then remount ro.

For the purposes of a desktop Linux system where you will be continually adding to /usr/local there is no real security gain by mounting /usr read-only. If you were serving /usr over NFS then I'd say yes.

Without having a firewall of any kind, your biggest threat is through vulnerabilites in old packages (and unnecessarily open ports) - if they can exploit your system, then yes, they could replace binaries in /usr/bin with malicious ones, but in such an event this probably would be the least of your worries.

If this were a server system, however, I'd say without a doubt yes - mount /usr read-only. For your needs, however, i'd recommend setting up iptables/ipchains (depending on your kernel) and getting your firewall up and running. Google for "guarddog" - this provides a nice KDE interface to configuring your firewall (providing support is compiled into your kernel for iptables/ipchains which it usually is by default on modern distributions).

Cheers
ZB

speaking of servers I have acually just done precisely that, I downlowded samba and installed it i tried to configure it to specs.. and now I am trying to figure out exactly how to implement it.(i know that sounds funny but the reason I downloaded is so that I could cross the NFS platform). I was'nt aware of the firewall actually being on the system so i guess I will have to take a look at that.. (I am not a security freak, but still I worry!), as for mounting /usr ro correct me if I am wrong i would umount /dev/hdd /usr and the
mount -t autofs -o ro /dev/hdd /usr .
as for IP tables I would need a clue as to where to start
thanx moxxx68

Samba is for sharing files between Windows and *nix machines - not for NFS exports - you can do that as standard within any *nix OS.

The firewall issue is a long and complex one, which is why it's best to let something like GuardDog take care of the configuration for you (requires a KDE desktop).

You can find howto's for NFS, Samba and lots of other things over at the Linux Documentation Project.

Cheers
ZB