From owner-freebsd-security  Mon Sep 28 06:11:39 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA06308
          for freebsd-security-outgoing; Mon, 28 Sep 1998 06:11:39 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA06285
          for <freebsd-security@FreeBSD.ORG>; Mon, 28 Sep 1998 06:11:30 -0700 (PDT)
          (envelope-from dgilbert@trooper.velocet.ca)
Received: (from dgilbert@localhost)
	by trooper.velocet.ca (8.8.7/8.8.7) id JAA15301;
	Mon, 28 Sep 1998 09:11:06 -0400 (EDT)
Date: Mon, 28 Sep 1998 09:11:06 -0400 (EDT)
Message-Id: <199809281311.JAA15301@trooper.velocet.ca>
From: David Gilbert <dgilbert@velocet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: Anton Voronin <anton@urc.ac.ru>,
        Allen Smith <easmith@beatrice.rutgers.edu>,
        freebsd-security@FreeBSD.ORG
Subject: Re: Booting from NT ?
In-Reply-To: <199809280933.CAA03313@salsa.gv.tsc.tdk.com>
References: <anton@urc.ac.ru>
	<199809280933.CAA03313@salsa.gv.tsc.tdk.com>
X-Mailer: VM 6.34 under Emacs 20.2.1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "Don" == Don Lewis <Don.Lewis@tsc.tdk.com> writes:

Don> On Sep 28, 2:36pm, Anton Voronin wrote: } Subject: Re: Booting
Don> from NT ?  } Allen Smith wrote: } } > Question... what does
Don> happen if one has a R/O root filesystem, } > including /dev,
Don> without DEVFS? I'm constructing a firewall computer } > with a
Don> (switchable - a nice facility of some Seagate drives) hard } >
Don> drive for root, a second writeable drive for /var and swap, and a
Don> /tmp } > MFS. What problems am I likely to run into with /dev?
Don> I'd really } > prefer not to have it as a symlink to /var/dev or
Don> some such...

Don> } It needs to write /dev/console but it does this before mounting
Don> according to } fstab. If you protect your hard drive it probably
Don> won't work. Try to just } mount it with -ro option.

Don> That should not be a problem.  You should be able to write to
Don> /dev/console or /dev/null even with a physically write-protected
Don> disk, because writes to these devices don't require changing any
Don> of the bits on the disk.

Don> Just be sure to mount the filesystem read-only as well, otherwise
Don> the kernel will get upset when it tries to update the mtime on
Don> these devices and can't because the disk is write-protected.

I was trying this using a bootable CDROM.  The kernel hangs just
before kicking off /etc/rc.  My initial attempt has been with a
standard install of 2.2.6 (was a month or two ago).

Not that this is different to how the install boots from the cdrom.
It has a writable RAM mounted root partition... preloaded inside the
compressed kernel.

Dave.

-- 
============================================================================
|David Gilbert, Velocet Communications.       | Two things can only be     |
|Mail:       dgilbert@velocet.net             |  equal if and only if they |
|http://www.velocet.net/~dgilbert             |   are precisely opposite.  |
=========================================================GLO================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message