read-only root partition?
Jeff LaCoursiere
jeff at jeff.net
Thu Feb 28 09:31:16 GMT 2002
If you really want to give the crackers a hard time, investigate using the
jail facility to start your daemons. I don't see why you couldn't get
your RO root partition going - just symbolically link files that require
writing to another partition that is writable.
j
On Wed, 27 Feb 2002, Clark C . Evans wrote:
> Thank you. Any suggestions as to how to do this would
> be great. Here is an idea that I've had.
>
> There are three considerations that I have:
>
> - vinum (software RAID) cannot protect your boot partition
> since it is a kernel module and hence can't protect loading
> the os kernel (chicken and egg problem).
>
> - I'm building a web farm and just about everything
> is static, no new users, etc. It'd be nice to
> frustrate any crackers by making the root partition
> read-only.
>
> - I was thinking that it would be very neat to have
> the OS plus /usr and the server software be on a
> CD-ROM. So, to upgrade a server box I just simply
> switch CD-ROMS.
>
> It sounds like the predictable outstanding issues are
> (thanks to Paul and Jeff)...
>
> - /etc/motd gets updated at boot time, but you can turn
> that off in rc.conf
>
> - if you are using /etc/fbtab then /dev/console won't update,
> there may be other /dev issues (tty files)
>
> - if you are using DHCP then dhclient will want to update
> /etc/resolv.conf
>
> Sounds like there is some playing. Also, it seems that
> to transfer the boot to CD-ROM, I'll have to get everything
> working on /da0s1a before I cut the CD-ROM. Thus, entries
> pointing to /da0s1a need topoint to the partition on the
> CD-ROM. In general, how do you make bootable CD-ROMs?
>
> Thank you so much for your feedback! Any other ideas
> would be cool!
>
> ;) Clark
>
>
> ------ FreeBSD UK Users' Group - Mailing List ------
> http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
>
More information about the Ukfreebsd
mailing list