On Sat, Aug 15, 1998 at 01:18:30PM +1000, Brian May wrote: > In article <[🔎] 9808131144070R.19176@lyta> you write: > >On Thu, 13 Aug 1998, Stephen J. Carpenter wrote: > >>>I have atteched here a document I am writting (mostly for my own interest) > >>This is the "Poor Man's XT". The aim is to be a full doc on how to > >>setup a debian linux system (based on 2.0) and make a working > >>"XTerminal" out of it. > >>The goals: > >>1. Should be able to be diskless, booting wither form boot prom or > >>a boot disk and NFS mounting the base system > >>2. System should be as small as possible. > >>3. Xserver etc should be able to be upgraded from dpkg > >> > >>accepted limitations: > >>1. Assumes XTerminal AND machine hosting its root filesystem via NFS are > >>on the SAME architecture. > > > >That fits 99% of all cases, but I'd love to have some Pentiums as X servers > >to an Alpha server! > > I can't see why this is a problem. Unless you do something like share > /usr (my preference, I prefer to mount /usr as RO, as this means only > one copy needs to be kepts, at the expense that I can only update > packages from a given "master" computer, for me this is my NFS server), > I don't see why it should matter if the architecture of the > NFS server or xdm server is different. Well the reason it is a problem is simple...in the original version (the one I posted) the way setup AND TESTING was done was by chroot'ing a shell to the / of the XTerminal... Then I woul drun X from there...th elatest version (in the works) fixes this with a second install method which should work independantly. > >SUID-root programs on the NFS-root would have to be made non-SUID (probably a > >good idea anyway if you want to have only 2 processes running on the machine). > > I am confused... How do you intend to run X as non-root? I think it > might be better just to make mount the NFS partitions as read-only, > for normal use. well In the latest version I did just that! The entire / is mounted read-only... It turns out if MOST of the init.d scripts are removed (an XTerminal has no need for inetd or sysklog etc) then the ONLY thing that needs to write to the filesystem is the X server,...it makes a directory and 2 files in /tmp so /tmp needs to be writeable by each XTerminal but private to each XTeerminal I solved this by addin gramdisk support and minix filesystem suport (minix makes the kernel 25 k larger....ext2 makes it 49 k) added mkfs.minix /dev/ram1 right before the mount -a in the init.d script...then I added it to /etc/fstab > The real problem I see, security wise, is that /etc cannot be read-only > as it contains files that must be writable (I think), like /etc/mtab. This > is really annoying. It also means that the root filesystem cannot > be shared. The root filesystem must contain /etc, /bin, /sbin, so I seperate > copy of all these files must be kept. well I have sucessfully shared the entire / ..all read-only > Of course, it may be possible to remount /etc as another writable > filesystem during boot, but this approach still makes me nervous (any > changes made to /etc will come out as errors before /etc is re-mounted). > > Otherwise, it might just be possible to mount the entire root filesystem > as read-only except for /tmp and /var. I have heard of schemes where > the /tmp partition is a local harddisk that is formatted on start-up, > removing any long-term security implications. A seperate copy > of /var would be required for each diskless computer. well the XTerminal itself has no need to write to anythin gbut /tmp ... in this minimal setup /var can even be ro (noone EVER logs into the Xterminal in fact...it is NOT running any network services AND it has NO gettys running) All administration (dpkg/apt etc...) is done in a chroot'd environment on the host machine -Steve -- /* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */ E-mail "Bumper Stickers": "A FREE America or a Drug-Free America: You can't have both!" "honk if you Love Linux"
Attachment:
pgpdyLiJKSO07.pgp
Description: PGP signature