From owner-freebsd-questions Fri Feb 16 5:52:32 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id D4FC537B65D for ; Fri, 16 Feb 2001 05:51:54 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 509) id E790B107861; Fri, 16 Feb 2001 16:29:29 +0300 (MSK) Date: Fri, 16 Feb 2001 16:29:29 +0300 From: Vlad Skvortsov To: freebsd-questions@FreeBSD.ORG Subject: Re: read-only / Message-ID: <20010216162929.A18131@ulstu.ru> Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 16, 2001 at 01:20:32PM +0000, Cliff Sarginson wrote: > > What is proper way to set root filesystem readonly on 4.2-R system ? > > The only problem I've encountered is that devices below /dev cannot change > > owners when users log in. > > I do not know what perceived risk you are trying to protect yourself > from but the above problem with /dev should worry you enough not to > do this. That is shell access server. The configuration has to be secure because we have not much time to watch this box. Everything what's possible is set to r/o; r/w partitions are quotas enabled, noexec and nodev flags are on. The only filesystem left "unsecure" is /. > Any programs that need to write in /etc will also break. I do understand it. No programs on production box should ever write to /etc. -- Vlad Skvortsov, vss@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message