* Daniel Dickinson <cshore@wightman.ca> wrote:
> Is it possible to have /etc on a separate partition from / (root) so
> that root can be read-only while /etc is read-write?
Making a read-only root-fs is quite complex.
You didn't write why you do want to do this. If you have a medium that
may break by to many writes (like a flash-disk), you can try mounting
another (tmpfs?) over it with unionfs or aufs (I got better results with
that). If you want to use that as a security feature, it won't work. If
you really want read-only-root, you should have a log at grml-live [1].
Grml is a debian-based live-cd aimed for advanced users with a focus on
text-tools (no kde, no ooo), and grml-live is its automated build-tool.

HTH

Timo

[1] http://www.grml.org/grml-live/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 13 Apr 2008 12:04:31 -0400
"Douglas A. Tutty" <dtutty@porchlight.ca> wrote:

> On Sun, Apr 13, 2008 at 03:12:08PM +0000, lists2008@skaro.afraid.org
> wrote:
> > I don't *need* things read-only. I would just rather not *need* to
> > have my root filesystem read write.
> >
> > I gave some reasons above for why I would like to be able to
> > crontrol if and when the root filesystem is subject to writes..
>
> However, consider: as things stand now, only root can alter files
> which don't have write permissions for others. Sure, if the
> filesystem were mounted ro then root couldn't write to the files
> either (or delete files). However, root could always remount / rw.
> Therefore there is no security in a system once root is compromised
> whatever you do. If root is not compromised, then standard unix
> permission scheme will provide the security.

Thank you for that explanation. This is exactly what I was thinking
about, and thus, for my purposes I don't need read-only root. Digby
makes some interesting suggestions as to why one might want ro root
that are more interesting, but they don't apply to me.

Regards,

Daniel

--
And that's my crabbing done for the day. Got it out of the way early,
now I have the rest of the afternoon to sniff fragrant tea-roses or
strangle cute bunnies or something. -- Michael Devore
GnuPG Key Fingerprint 86 F5 81 A5 D4 2E 1F 1C http://gnupg.org
No more sea shells: Daniel's Weblog http://cshore.wordpress.com

On Mon, Apr 14, 2008 at 09:11:52AM -0400, Daniel Dickinson wrote:
> On Sun, 13 Apr 2008 12:04:31 -0400
> "Douglas A. Tutty" <dtutty@porchlight.ca> wrote:
> > On Sun, Apr 13, 2008 at 03:12:08PM +0000, lists2008@skaro.afraid.org
> > wrote:
> > However, consider: as things stand now, only root can alter files
> > which don't have write permissions for others. Sure, if the
> > filesystem were mounted ro then root couldn't write to the files
> > either (or delete files). However, root could always remount / rw.
> > Therefore there is no security in a system once root is compromised
> > whatever you do. If root is not compromised, then standard unix
> > permission scheme will provide the security.
>
> Thank you for that explanation. This is exactly what I was thinking
> about, and thus, for my purposes I don't need read-only root. Digby
> makes some interesting suggestions as to why one might want ro root
> that are more interesting, but they don't apply to me.

OK. Would you like to discuss the security concerns in your application
that prompted this? Are you just Practically Paranoid (TM OpenBSD) or
do you have a specific concern in your situation?

As for the write limits on flash devices, this has been heavily
discussed and real-world tested over on misc@openbsd.org, where a higher
proportion of users are making appliances out of e.g. soekris boxes with
OpenBSD using a compact flash card as the hard drive for all
partitions/filesystems. They find that if you use a good industrial
compact flash, which come with at least a 5 year warranty, that in
real-world use they have been lasting quite well and not markedly less
reliable than hard drives. Note that this is just for the changes that
happen to a system running as an appliance which only reboots on a
kernel change. In OpenBSD that means about every 6 months if you keep
it up-to-date.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Apr 14, 2008 at 08:16:32AM +0200, Timo Boettcher wrote:
> * Daniel Dickinson <cshore@wightman.ca> wrote:
> > Is it possible to have /etc on a separate partition from / (root) so
> > that root can be read-only while /etc is read-write?
> Making a read-only root-fs is quite complex.
> You didn't write why you do want to do this. If you have a medium that
> may break by to many writes (like a flash-disk), you can try mounting
> another (tmpfs?) over it with unionfs or aufs (I got better results with
> that). If you want to use that as a security feature, it won't work. If
> you really want read-only-root, you should have a log at grml-live [1].
> Grml is a debian-based live-cd aimed for advanced users with a focus on
> text-tools (no kde, no ooo), and grml-live is its automated build-tool.

Or, closer to Debian: http://debian-live.alioth.debian.org/ .

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org