[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How can I make root filesystem read-only?

On 21 Nov 2002, 10:52:15, Oliver Elphick wrote:
> On Thu, 2002-11-21 at 10:36, Hiroki Horiuchi wrote:
> > I am trying to make the root filesystem including /usr subdirectory
> > read-only. But, if I set the mount option of / to ro, system cannot boot.
> > Making only /usr read-only is not enought for me.
> > Cannot root filesystem be read-only?
> In effect, no.
> For example, /etc must be in the root filesystem and mount writes to
> /etc/mtab

There is a very good document on improving the out-of-the-box security of
a Debian system that you can install via apt-get install harden-doc.  Then
open /usr/share/doc/harden-doc/html/securing-debian-howto/index.html in your
web-browser and have a read.

One of their suggestions is to put /usr, /usr/share, /var, /var/tmp, /var/log,
and /var/account on separate partitions, each with different options in /etc/fstab,
mounting them, variously, ro, noexec, nosuid, nodev, etc. . . . 

The only headache in doing this is that apt-get install and apt-get upgrade
need write access and exec privs on some of these areas, so you have to configure
pre and post apt-get commands.  As an earlier post indicated, the remounting
after apt-get doesn't always work . . . so you typically have to get in the
habit of going into single-user mode for any apt-get activities (not always
possible on a multi-user production system that you want to run an apt-get
upgrade on to install new revs with security patches . . . ).

If you search the Debian package directories for harden, you'll find a collection
of docs and utilities to assist you in securing your system.

Also, Bastille was nearly ready with a port to Debian a few months ago. 
I haven't used it, but it gets quite good reviews for being able to identify

Good luck.


> Perhaps you could arrange to have a RAM disk for root?  (See initrd.)

Doug MacFarlane

Reply to: