Re: goals for hardening Debian: ideas and help wanted
On Sun, Jun 08, 2014 at 10:13:27AM +0800, Paul Wise wrote:
> We kind-of already support that; Debian Live is essentially that. What
> would official support for read-only root look like to you? Option in
> the installer?
Probably fix the last bits of details that makes a read-only install not totally functionnal.
Currently, it appears you can pass the read-only option as extra-flags for / when configuring the filesystem, but you still need to adjust:
mtab -> /proc/mounts
adjtime -> /var/lib/adjtime
blkid.tab -> /var/local/blkid.tab
You still need a /tmp as tmpfs, too - as far as I can see we still are having a /tmp under /
> > https://wiki.debian.org/ReadonlyRoot
> That page needs updating, some of the bugs/issues are fixed. Since you
> are familiar with the use-case, could you do that?
The /etc/network/run issue has been fixed (but this is implied in the page)
What I see seems to be still relevant (ie. /etc/mtab still needs to be symlinked to /proc/mounts on wheezy, for example)
Bug 156489 is still there on wheezy (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156489)
# LANG=C /etc/init.d/hwclock.sh stop
Saving the system clock.
hwclock: Could not open file with the clock adjustment parameters in it (/etc/adjtime) for writing: Read-only file system
hwclock: Drift adjustment parameters not updated.
Hardware Clock updated to Sun Jun 8 10:53:36 CEST 2014.
The workaround is really obvious:
mv /etc/adjtime /var/lib && ln -s /var/lib/adjtime /etc
I could not confirm the other issues (such as cups or alsa I'm not using on this machine)
> > the only annoying thing is the 'mount: / is busy' issue
> Have you reported this bug?
Not yet, for multiple reasons:
* I can't seem to find the real culprit - checkrestart fails to spot any relevant information, and neither lsof nor fuser -c could help me at this point
* I'm using a customized grsec kernel - I first need to confirm that the issue also appears on a vanilla kernel
* I'm using wheezy/sid mixed packages, and here again a real vanilla install will be necessary to du further tests
But I'll check that next time moire thoroughly, as the issue almost always pops when updating a package.