read-only root partition?

Paul Civati paul at xciv.org
Wed Feb 27 23:38:18 GMT 2002


"Clark C . Evans" <cce at clarkevans.com> wrote:

>  - vinum (software RAID) cannot protect your boot partition
>    since it is a kernel module and hence can't protect loading
>    the os kernel (chicken and egg problem).

Yes, a catch 22 for software RAID, maybe look at some kind of hardware
RAID.. I think it's possible to do mirroring with cheap IDE RAID cards.

>  - I'm building a web farm and just about everything
>    is static, no new users, etc.  It'd be nice to 
>    frustrate any crackers by making the root partition
>    read-only.

Bear in mind that all other partitions would have to be mounted
noexec/nosuid otherwise they could just put their trojaned binary
on there instead.

>  - I was thinking that it would be very neat to have
>    the OS plus /usr and the server software be on a
>    CD-ROM.   So, to upgrade a server box I just simply 
>    switch CD-ROMS.  

Certainly doable.

> Sounds like there is some playing.  Also, it seems that
> to transfer the boot to CD-ROM, I'll have to get everything
> working on /da0s1a before I cut the CD-ROM.  Thus, entries
> pointing to /da0s1a need topoint to the partition on the
> CD-ROM.   In general, how do you make bootable CD-ROMs?

You build your CD tree of files, then within that tree you have a
bootable floppy image with a kernel, you then use mkisofs with the
right option to use that floppy image to boot off of.

Bootable i386 CDs basically work by having the BIOS make the machine
think that the floppy image on the CD is in fact your A: drive.

-Paul-






More information about the Ukfreebsd mailing list