On Sun, Feb 26, 2006 at 01:45:23AM +0500, Dimitry Naldayev wrote: > > _The motivations_ The main question is "why we want to keep the root fs > read-only?". The answer is probably "we want increase security". A cracker > need to remount root fs in read-write mode before he can do bad things with > oure computer. If his exploit do not do this, he out of luck. But if /etc > is mounted in read-write mode, he do not need to remount root fs to be able > modify something in /etc.
Let me try to clear up some mis-conceptions that may be floating in the air. First, a readonly rootfs does not give a genuine increase in security. It can help with script kiddies, but not someone who knows what he is doing. My hint specifically stated the answer to the "why?" question: <snip> DESCRIPTION: A read-only root file system has many advantages over read-write when the computer unexpectedly powers off. </snip> > The common technic is to put root's home dir in /root not in > /home/something You have not played much in the unix-like world outside of linux apparently. /home/root (and even /usr/home/<users>) is not uncommon. > Yes it is common technic to make root fs read-only but there are some > drawbacks. If you compare original /etc/mtab and /proc/mounts you notice > some differences... Which is why I promptly mention that he misquoted me. There is nothing worse than someone glance over your work only to misunderstand and misquote it. :( > There are software wich add entries to /etc/fstab when you hotplug some > hardware in you computer. You have to decide what the purpose of the machine is. I build mostly servers. I have no use for a writable fstab. On my laptop, I still have no use for a writable fstab. If you want the bells and whistles of udev WRT it's hot/cold plugging capabilities, then you have to rethink your strategy. HINT: If you look at the glibc file that is edited in my hint for writable mtab, you will find many other common /etc files that can be relocated. It's just a simple text file and glibc determines where where they reside. > Unfortunately major Linux vendors do not consider read-only root fs as > primary goal. And I see no reason why they should. It is extra headache and extra support questions from n00bs. This is an advanced topic that requires much planning and forethought to get right. Distro's cannot account for how you will use a machine. This is the beauty of the LFS projects where you decide what is right for you. :) -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
