[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /boot partition changes when it should not

Clive McBarton wrote:
> Bob McGowan wrote:
>> It is almost certainly the mount count.
> 
> I just manually unmounted and mounted the device a few times. With the
> arguments I have in fstab ("ro","noatime"). In other words, I did
> 
> umount /boot; mount /boot; dd_rescue /dev/sda1 /tmp/boot1;
> umount /boot; mount /boot; dd_rescue /dev/sda1 /tmp/boot2;
> diff /tmp/boot1 /tmp/boot2
> 
> Result: No change. Hence it does not increment a mount count as long as
> it is manually unmounted and remounted while the system is up.
> 
> What do I have to change in the boot process so that the mount count
> does not get updated? How do I get the boot process to honor the fstab
> options?

Interesting ;)  I'd say it should have been obvious to me, now that I
think about it ...

A read-only mount is not going to allow "run of the mill" file system
corruption to happen, hence no reason to increment the count.

> 
>> It is worth noting that the read-only mount prevents writes via "normal"
>> filesystem functions, only.
> 
>> You could still have a write done directly to the device, using the
>> reverse of what the OP did to get the checksum, and completely destroy
>> the disk content.
> 
>> Or, more to the point, use a "disk editor" and twiddle a bit here and
>> there.
> 
> Malicious modifying of files with a disk editor is exactly the undesired
> stuff that this whole checksumming is supposed to detect.

On further consideration, there are other places where things could be
happening, before the "system" is fully started, meaning before the
'mount' options you're using would have any effect.

These don't necessarily do anything (in the "write" sense ;), but are
places to consider checking:  BIOS, grub/lilo/other boot loader, kernel
and kernel options for startup, initrd.

I'm afraid I know too little about these to provide any suggestions on
what to look for or how to proceed. ;(

On a side note, given your concerns, I would assume you have a BIOS with
password protection enabled?  And that you have disabled booting from
anything other than the primary boot disk?

Just curious ;)

> 
>> To get an absolute, no write, ever, to the device, the OP will need to
>> figure out how to force  read only permissions on the device /dev/sda1,
>> across boots.
> 
> Phantastic idea! Can it be done? I have not heard about this yet. It
> would be great.

In the "olden days", when /dev was static, you could simply do a chmod
on the "file" name.

These days, you need to know udev and udev rules files format (which I
don't), to figure out where and how to set this up.

Perhaps someone else on the list would have some ideas for you on how to
do this?

-- 
Bob McGowan
Symantec
US Internationalization
Reply to: