On Wed, 05 Nov 2003 09:30:37 +0100
Andreas Janssen <email@example.com> wrote:
AJ> Chema (<firstname.lastname@example.org>) wrote:
AJ> > But there is also another view that I have not seen mentioned: in
AJ> > serious servers, you can also "freeze" the most static parts of
AJ> > your system, namely /bin, /sbin and /usr. This means mounting
AJ> > them read-only.
AJ> That sounds like you want to put /bin and /sbin on it's own
AJ> partition. How exactly are you going to do that, if even the mount
AJ> command itself is in /bin? By keeping local copies in the /bin
AJ> directory on the / partition? Or do you mount / ro (which is also
AJ> somehow problematic because some files there are regularly written
AJ> to, for example mtab)?
Yep, I forgot to specify that they would be in separate partitions. And you got me there!. Indeeded, you would need a minimalistic /[s]bin somewhere in root with not only mount, but all the init stuff. It becomes more or less of a hazle: you have to check all your init commands before the mounts, copy the progs to the /bootbin, and edit the scripts to reflect the new path. Well, actually this could be perled easily !-)
But on a more conservative way, you could just leave /sbin on root (most init stuff is run from there) and copy there what you need from /bin (in RH9, it would be like sh, hostname, dmesg, mount, loadkeys and true). Then you edit the scripts and thats it.
So you can keep in root all that is needed before mounting all the fs's, or you could just keep sh and mount, and mount /bin before anything there gets called. A premature /bin mount should be harmless, but I still have to think about it.
Keeping root as read-only (usually init mounts it r-o first) is not viable, 'couse we need to write at least to /etc and /dev (!). I supose that at least /etc could also get its own partition (partitionfest!!), but that is "starting" to sound to extreme: you'll need a pretty static /etc! (maybee with a few symlinks from mtab and the such to writeable versions in root).
Concluding, /usr should pose no problem to mount r-o. "Should": in RH9, rc.sysinit mentions almost at its start a /usr/bin/rhgb, but its only for graphical bootup (I don't even have it installed). /bin and /sbin are more complicated but should be not that hard if you get sh and mount to root and mount them early in the init (dangers?? the need of fsck should not be one, at least until 2000 mounts or 10,000 miles --remember, read-only lasts much longer ;-).
And if someone gets really wild and decides to also throw /etc into the equation, let us know how bad it goes!!
Now, mounting read only can protect the files from abrupt shutdowns or inexperienced users with too much access, but a cracker (of certain level) should know how to do a -o remount,rw without problems. Thats where the kernel patch (or whatever) I mentioned kicks in. But I still can't google it! Anyone has heard of it?
I started playin' with Debbie recently, and will try some of this when I get the time.