read-only root partition?

[Jeff LaCoursiere]

If you really want to give the crackers a hard time, investigate using the
jail facility to start your daemons.  I don't see why you couldn't get
your RO root partition going - just symbolically link files that require
writing to another partition that is writable.

j

On Wed, 27 Feb 2002, Clark C . Evans wrote:

> Thank you.  Any suggestions as to how to do this would
> be great.  Here is an idea that I've had.
> 
> There are three considerations that I have:
> 
>  - vinum (software RAID) cannot protect your boot partition
>    since it is a kernel module and hence can't protect loading
>    the os kernel (chicken and egg problem).
>  
>  - I'm building a web farm and just about everything
>    is static, no new users, etc.  It'd be nice to 
>    frustrate any crackers by making the root partition
>    read-only.
> 
>  - I was thinking that it would be very neat to have
>    the OS plus /usr and the server software be on a
>    CD-ROM.   So, to upgrade a server box I just simply 
>    switch CD-ROMS.  
> 
> It sounds like the predictable outstanding issues are
> (thanks to Paul and Jeff)...
> 
>  - /etc/motd gets updated at boot time, but you can turn 
>    that off in rc.conf
>  
>  - if you are using /etc/fbtab then /dev/console won't update,
>    there may be other /dev issues  (tty files)
> 
>  - if you are using DHCP then dhclient will want to update
>    /etc/resolv.conf
> 
> Sounds like there is some playing.  Also, it seems that
> to transfer the boot to CD-ROM, I'll have to get everything
> working on /da0s1a before I cut the CD-ROM.  Thus, entries
> pointing to /da0s1a need topoint to the partition on the
> CD-ROM.   In general, how do you make bootable CD-ROMs?
> 
> Thank you so much for your feedback!  Any other ideas
> would be cool!
> 
> ;) Clark
> 
> 
> ------ FreeBSD UK Users' Group  -  Mailing List ------
> http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
>