From owner-freebsd-questions@FreeBSD.ORG Fri Jun 13 18:26:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8AEF106564A for ; Fri, 13 Jun 2008 18:26:35 +0000 (UTC) (envelope-from mister.olli@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 3DE2D8FC17 for ; Fri, 13 Jun 2008 18:26:34 +0000 (UTC) (envelope-from mister.olli@googlemail.com) Received: by ug-out-1314.google.com with SMTP id q2so135783uge.37 for ; Fri, 13 Jun 2008 11:26:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:reply-to:to :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=ihben7LQBpudYbMeEYfKtunMYXyT3v2ddolw671ZMz0=; b=epnWuCh+n6uQzqAeVU27U6H4JHxfAbT9SIy5tViYLmYwBF+zW84Zm8HrnKgeVoj/W9 vyv7V0rKOTMQdSL2EWh2g7DW9xqKmPbZK9g0Uw15jNKm5bRuzPottDjOsvXUxmY1VBZf 6wSyeEoIHANGNcrfEbkXa0T7v9+7hlSuzm4/Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:reply-to:to:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=UpjAsqr+cbV3FJU01BilQ7xGSa4y9ao94n8/8psKnKjUNKlYl9XneCpTYSv/QQ913S M4LRrCKVo2yrIW0ge8ysThF0gHLJ3r7Lg6wCz326QGVN/aDYKcZtytlRGZ2mqf8YYWuh QTFXgP2/UKBJwGIAPaiG4rvCr8Rg0HPvG3hJ4= Received: by 10.67.40.15 with SMTP id s15mr1408047ugj.53.1213381593669; Fri, 13 Jun 2008 11:26:33 -0700 (PDT) Received: from ?10.30.1.184? ( [78.47.172.52]) by mx.google.com with ESMTPS id 18sm1978578ugk.44.2008.06.13.11.26.31 (version=SSLv3 cipher=RC4-MD5); Fri, 13 Jun 2008 11:26:32 -0700 (PDT) From: Mister Olli To: freebsd-questions@freebsd.org In-Reply-To: References: Content-Type: text/plain Date: Fri, 13 Jun 2008 20:26:20 +0200 Message-Id: <1213381580.6398.145.camel@phoenix.blechhirn.net> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 Content-Transfer-Encoding: 7bit Subject: Re: Running with a readonly root partition X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mister.olli@googlemail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 18:26:35 -0000 hi... do you have some kind of installation/setup manual? that would be really interesting to see your steps, and try that myself. I have some questions too: - how do you handle updates/ installation of new software? - how do you prevent someone who hacked the machine to remount '/' as writable - how do users update theirs passwords when '/etc' is read-only? greetz olli Am Freitag, den 13.06.2008, 14:47 -0300 schrieb A. Hamilton-Wright: > As devfs is running by default, it seems to me that > it would be relatively easy to run with a readonly > root partition, assuming that the directories under > which writing is necessary (ie; /tmp, /var, /home) > are located in separate, writable partitions. > > The main advantages are that none of the configuration > files or binaries in /etc and /usr (which may still > be on a separate readonly partition) are vulnerable > to attack (even from a local privilege escalation) > without remounting the partition as writable. > > This used to be a very common setup in the *NIX > world, so I am surprised to find little to no mention > of it in the archives. > > I set up my machine this way a couple of months back, > and have noticed some minor things (some few things > assume a writable /etc, notably including dump(8), > and the boot process update to /etc/motd). Once these > have been rectified by relocating the files and setting > up symlinks, there have been no problems. > > My questions are: > - does anyone else do this? > - if not, why not? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"