Re: Root as R/O

Sun, 01 Mar 2009 09:05:32 -0800 

Take a look at Live CD or Live DVD methods for OpenBSD, / contains /dev /etc
copies are made in memory file systems (changes to /etc will be lost). Mounting
a read-only / can simply be reversed with mount -u -w /. To make it more
difficult take a look at chflags schg, which make files immutable and can only
be removed in single user mode. Example below, root home directory changed to
/home/root, you can also take a look at securelevel set to 2 instead of 1 in
rc.securelevel

$ grep rc.mfs /etc/rc
[ -f /etc/rc.mfs ] && . /etc/rc.mfs

$ cat /etc/rc.mfs
echo "Copy existing files"
cp /dev/MAKEDEV /home/root/mfssetup
tar czf /home/root/mfssetup/etc.tgz /etc
echo -n "Creating mfs {"
mount -t mfs -o nosuid,-i=128,-s=3000 swap /dev

cp /home/root/mfssetup/MAKEDEV /dev
(cd /dev; ./MAKEDEV all )
echo -n " dev"
mount -t mfs -o nosuid,-s=49152 swap /etc
tar xphzf /home/root/mfssetup/etc.tgz -C /
echo " etc}"

$ mount
/dev/wd0a on / type ffs (local, noatime, read-only, softdep)
/dev/wd0e on /home type ffs (local, nodev, noexec, nosuid, softdep)
/dev/wd0f on /usr type ffs (local, noatime, nodev, read-only, softdep)
/dev/wd0g on /var type ffs (local, nodev, noexec, nosuid, softdep)
/dev/wd0h on /var/log type ffs (local, nodev, noexec, nosuid, softdep)
mfs:18565 on /tmp type mfs (asynchronous, local, noatime, nodev, noexec, nosuid,
size=256000 512-blocks)
mfs:19145 on /var/tmp type mfs (asynchronous, local, noatime, nodev, noexec,
nosuid, size=256000 512-blocks)
mfs:7845 on /dev type mfs (asynchronous, local, nosuid, size=3000 512-blocks)
mfs:25656 on /etc type mfs (asynchronous, local, nosuid, size=49152 512-blocks)


Regards

Nigel Taylor



Bret S. Lambert wrote:
> On Sun, Mar 01, 2009 at 03:03:53PM +0100, Jean-Francois wrote:
>> Janusz,
>>
>> I try to secure a box by forbidding the change to main system files.
>> /dev /etc /tmp /var are on separate slides and would be w/r of course.
> 
> If /etc/ is on a seperate partition, how would you read /etc/fstab
> in order to know which disks/partitions to mount under / ?
> 
> - Bert
> 
>> Le dimanche 01 mars 2009 C  13:15 +0100, Janusz Gumkowski a C)crit :
>>> On Sun, Mar 01, 2009 at 10:18:54AM +0100, Jean-Francois wrote:
>>>> Hi All,
>>>>
>>>> One could develop a little bit the addvantage(s) of mounting root as
>>>> read only ?
>>>>
>>> Myself, I don't see any.
>>>
>>> /dev, /etc, /tmp and /var/* are changed a lot during startup or while the 
>>> system is running.
>>>
>>> What are you trying do do, exactly?

Reply via email to