Date: Fri, 13 Jun 2008 20:28:23 +0200 (CEST) From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> To: "A. Hamilton-Wright" <andrew@qemg.org> Cc: freebsd-questions@freebsd.org Subject: Re: Running with a readonly root partition Message-ID: <20080613202642.D2744@wojtek.tensor.gdynia.pl> In-Reply-To: <alpine.BSF.1.10.0806131409310.78983@qemg.org> References: <alpine.BSF.1.10.0806131409310.78983@qemg.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > As devfs is running by default, it seems to me that > it would be relatively easy to run with a readonly > root partition, assuming that the directories under > which writing is necessary (ie; /tmp, /var, /home) > are located in separate, writable partitions. yes. > The main advantages are that none of the configuration > files or binaries in /etc and /usr (which may still /etc is rather writable - for example when user changes password. > be on a separate readonly partition) are vulnerable > and the boot process update to /etc/motd). Once these > have been rectified by relocating the files and setting > up symlinks, there have been no problems. > > My questions are: > - does anyone else do this? no that - but i do this on my liveDVD > - if not, why not? if you will set securelevel to prevent umounts - it may add much to the security. but - the same time - you'll have to reboot system to change anything!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080613202642.D2744>