Running with a readonly root partition
mister.olli at googlemail.com
Fri Jun 13 18:26:35 UTC 2008
do you have some kind of installation/setup manual?
that would be really interesting to see your steps, and try that myself.
I have some questions too:
- how do you handle updates/ installation of new software?
- how do you prevent someone who hacked the machine to remount '/' as
- how do users update theirs passwords when '/etc' is read-only?
Am Freitag, den 13.06.2008, 14:47 -0300 schrieb A. Hamilton-Wright:
> As devfs is running by default, it seems to me that
> it would be relatively easy to run with a readonly
> root partition, assuming that the directories under
> which writing is necessary (ie; /tmp, /var, /home)
> are located in separate, writable partitions.
> The main advantages are that none of the configuration
> files or binaries in /etc and /usr (which may still
> be on a separate readonly partition) are vulnerable
> to attack (even from a local privilege escalation)
> without remounting the partition as writable.
> This used to be a very common setup in the *NIX
> world, so I am surprised to find little to no mention
> of it in the archives.
> I set up my machine this way a couple of months back,
> and have noticed some minor things (some few things
> assume a writable /etc, notably including dump(8),
> and the boot process update to /etc/motd). Once these
> have been rectified by relocating the files and setting
> up symlinks, there have been no problems.
> My questions are:
> - does anyone else do this?
> - if not, why not?
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions