[...] > • Read-only root > > Depends on /run. Having /run will allow remaining writable files > under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters). > Identifying and fixing/removing packages writing to /etc during > their normal operation would be a worthy release goal. > > This will make Debian more secure to run, easier to deploy in a > cluster or netboot environment (no writable image overlay required), > keeping dpkg-managed filesystems completely read-only during normal > operation (other than /var). > [...] Here's an obviously incomplete list of such files, from a fairly comprehensive desktop installation. I've taken these from my integrit configuration for a lenny (!) system - I'd love not to be in need for such a list of exceptions. /etc/aumixrc /etc/mtab /etc/motd /etc/adjtime /etc/resolv.conf /etc/qt3/qt_plugins_3.3rc /etc/network/run/ifstate /etc/hotplug/.run/net.enable /etc/cups/ppd/ /usr/share/ppd/custom/ /etc/cups/classes.conf /etc/cups/printers.conf /etc/cups/printers.conf.O /etc/cups/cupsd.conf /etc/printcap /etc/lvm/cache/.cache /etc/openvpn/openvpn-status.log /etc/blkid.tab /etc/blkid.tab.old /etc/samba/dhcp.conf /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix) Hope this helps, Michael
Attachment:
pgp_5ikdleqDC.pgp
Description: PGP signature