archaic at linuxfromscratch.org
Sat Feb 25 13:44:05 PST 2006
On Sun, Feb 26, 2006 at 01:45:23AM +0500, Dimitry Naldayev wrote:
> _The motivations_ The main question is "why we want to keep the root fs
> read-only?". The answer is probably "we want increase security". A cracker
> need to remount root fs in read-write mode before he can do bad things with
> oure computer. If his exploit do not do this, he out of luck. But if /etc
> is mounted in read-write mode, he do not need to remount root fs to be able
> modify something in /etc.
Let me try to clear up some mis-conceptions that may be floating in the
air. First, a readonly rootfs does not give a genuine increase in
security. It can help with script kiddies, but not someone who knows
what he is doing. My hint specifically stated the answer to the "why?"
DESCRIPTION: A read-only root file system has many advantages over
read-write when the computer unexpectedly powers off.
> The common technic is to put root's home dir in /root not in
You have not played much in the unix-like world outside of linux
apparently. /home/root (and even /usr/home/<users>) is not uncommon.
> Yes it is common technic to make root fs read-only but there are some
> drawbacks. If you compare original /etc/mtab and /proc/mounts you notice
> some differences...
Which is why I promptly mention that he misquoted me. There is nothing
worse than someone glance over your work only to misunderstand and
misquote it. :(
> There are software wich add entries to /etc/fstab when you hotplug some
> hardware in you computer.
You have to decide what the purpose of the machine is. I build mostly
servers. I have no use for a writable fstab. On my laptop, I still have
no use for a writable fstab. If you want the bells and whistles of udev
WRT it's hot/cold plugging capabilities, then you have to rethink your
strategy. HINT: If you look at the glibc file that is edited in my hint
for writable mtab, you will find many other common /etc files that can
be relocated. It's just a simple text file and glibc determines where
where they reside.
> Unfortunately major Linux vendors do not consider read-only root fs as
> primary goal.
And I see no reason why they should. It is extra headache and extra
support questions from n00bs. This is an advanced topic that requires
much planning and forethought to get right. Distro's cannot account for
how you will use a machine. This is the beauty of the LFS projects where
you decide what is right for you. :)
Want control, education, and security from your operating system?
Hardened Linux From Scratch
More information about the hlfs-dev