RE: [CentOS] read only root file system
A very big thanks -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fred Noz Sent: Saturday, May 24, 2008 1:30 PM To: centos@centos.org Subject: [CentOS] read only root file system On Saturday 24 May 2008 12:05:30 Fred Noz wrote: Responding to a question posted earlier this month, Centos 5.1 includes configuration files for enabling the read-only root filesystem. Actually, all filesystems can be mounted read-only with particular files and directories mounted on a read-write tmpfs (in RAM). This capability comes directly from the upstream provider. When your computer comes back up, the root and any other system partitions will be mounted read-only. All the files and directories listed in /etc/rwtab will be mounted read-write on a tmpfs filesystem. You can add additional files and directories to rwtab to make them writable after reboot. Note that this system is stateless. When you reboot again, everything written to the tmpfs filesystem vanishes and the system will be exactly as it was the last time it was booted. You could add a writable filesystem on disk or NFS for writing files you want to retain after rebooting. This is very interesting. Thanks for the sharing Fred. So, it's somekind of Live CD on a disk? I can't think of a practical benefit of using such system, is it to protect it from unwanted modification? Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial - Fajar, There are many practical reasons why one would want to run a Linux system, whether it be desktop or server, with a read-only root. One reason is for ease of maintenance, especially when there are many systems to maintain. You might be administering computers in a classroom, internet access point, or library and you want to be certain that after reboot, the system is exactly as it was the last time it was rebooted, even if the users mess with the system accidentally or on purpose. For example, if a user fills up the /tmp filesystem and causes the system to crash, after booting, the system will have an empty /tmp filesystem. It will not require that fsck to be run because the other filesystems were mounted read-only. This implies no risk of filesystem corruption (except due to physical failures on the disk). Not needing fsck saves time on boot. You could use read-only root on embedded systems where there is no way an administrator could get to the system to fix it. Read-only root is beneficial on a system running on flash media because this avoids having recurring writes wear out some sectors on the media. This is a practical way to run a large group of diskless systems. A single read-only root filesystem can be made available on a network from an NFS server. Many diskless clients can use this readonly-root simultaneously. Of course, this is a way to implement a live CD. In addition to easy maintenance, readonly-root adds a layer of security. The security is broken if someone gains access to the root user, but then many security protections are lost if someone gains root. Even a Database server can benefit from being run on read-only root. The data disk would certainly be mounted read-write, but there is no reason why the operating system and database application software need to be on disks mounted read-write. When an administrator wants to perform an update, upgrade, software, installation. or other system change, the administrator sets the readonly filesystems to read-write using a simple mount command. After the administrator finishes making the changes, a simple mount command (or reboot) sets the readonly filesystems back to read-only. Of course, on systems where the root and system filesystems have no physical write capability, such as on a live CD, they cannot be set to read-write. - Fred - Fred Noz [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Sat, May 24, 2008 at 8:29 PM, Fred Noz [EMAIL PROTECTED] wrote: In addition to easy maintenance, readonly-root adds a layer of security. The security is broken if someone gains access to the root user, but then many security protections are lost if someone gains root. However, this should *never* be used alone for security concerns. A compromiser can easily run that simple mount command to remount read-write after root access. But sometimes before gaining root access, some system spesific files are over-written to gain root access with the help of exploits.. This helps keeping from them. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
Linux wrote: However, this should *never* be used alone for security concerns. A compromiser can easily run that simple mount command to remount read-write after root access. I've been reading some of your recent comments, Anonymous looser, and I've really got to say this - you seem to make some authoritative style comments on things you really dont know much about. eg. in this case - the filesystem could be mounted readonly since its only exposed readonly from the underlying i/o or block subsystem. - KB -- Karanbir Singh : http://www.karan.org/ : [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Mon, May 26, 2008 at 2:15 AM, Karanbir Singh [EMAIL PROTECTED] wrote: I've been reading some of your recent comments, Anonymous looser, and I've really got to say this - you seem to make some authoritative style comments on things you really dont know much about. eg. in this case - the filesystem could be mounted readonly since its only exposed readonly from the underlying i/o or block subsystem. Thank you for your comments. Next time I'll try to stop my ego... I guess you are right. An authorative style would mean nothing without an identity. A cd-rom can provide security as a readonly mount, but readonly mounted ordinary filesystem/disk means almost nothing. Dont you read comments like administrator remounts read-write? Why? I dont know, I like to be an a**hole looser I think. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
Linux wrote: A cd-rom can provide security as a readonly mount, but readonly mounted ordinary filesystem/disk means almost nothing. Dont you read comments like administrator remounts read-write? Why? If your blockdev is exposed to the OS as 'ro', your administator can go jump off a cliff if he wants, he's not geting +w on there. -- Karanbir Singh : http://www.karan.org/ : [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Saturday 24 May 2008 12:05:30 Fred Noz wrote: Responding to a question posted earlier this month, Centos 5.1 includes configuration files for enabling the read-only root filesystem. Actually, all filesystems can be mounted read-only with particular files and directories mounted on a read-write tmpfs (in RAM). This capability comes directly from the upstream provider. When your computer comes back up, the root and any other system partitions will be mounted read-only. All the files and directories listed in /etc/rwtab will be mounted read-write on a tmpfs filesystem. You can add additional files and directories to rwtab to make them writable after reboot. Note that this system is stateless. When you reboot again, everything written to the tmpfs filesystem vanishes and the system will be exactly as it was the last time it was booted. You could add a writable filesystem on disk or NFS for writing files you want to retain after rebooting. This is very interesting. Thanks for the sharing Fred. So, it's somekind of Live CD on a disk? I can't think of a practical benefit of using such system, is it to protect it from unwanted modification? -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 15:40:28 up 7:29, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
I am looking at having a read only box, it will not use a swap partition. Any recommendations? Why bother with a hard drive at all? Customize a Live CD/DVD and remove the hard drive alltogether. Barry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as linux file system hardening. When you do need to do maintenance, such as package management, you'll need to remount the root file system as writable which will likely require a reboot. Brett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] read only root file system
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Brimer Sent: Friday, May 02, 2008 8:21 AM To: CentOS mailing list Subject: Re: [CentOS] read only root file system I am looking at having a read only box, it will not use a swap partition. Any recommendations? Why bother with a hard drive at all? Customize a Live CD/DVD and remove the hard drive alltogether. We are using read only media, but it is not a cdrom/dvd. Barry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
in the /etc/fstab define ro in the permissions field of the entry where the / partition is defined - Original Message - From: Brett Serkez [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Sent: Friday, May 02, 2008 5:58 PM Subject: Re: [CentOS] read only root file system On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as linux file system hardening. When you do need to do maintenance, such as package management, you'll need to remount the root file system as writable which will likely require a reboot. Brett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Fri, May 2, 2008 at 9:38 AM, Ralph Angenendt [EMAIL PROTECTED] wrote: Brett Serkez wrote: On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as linux file system hardening. What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff? Make it a soft-link to /var or other writable file system, perhaps /etc/mtab - /var/etc/mtab. For the most part the Linux/UNIX file system is broken up into well defined areas, but alas, exceptions need to be dealt with. Brett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] read only root file system
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Serkez Sent: Friday, May 02, 2008 9:43 AM To: CentOS mailing list Subject: Re: [CentOS] read only root file system On Fri, May 2, 2008 at 9:38 AM, Ralph Angenendt [EMAIL PROTECTED] wrote: Brett Serkez wrote: On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as linux file system hardening. What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff? Make it a soft-link to /var or other writable file system, perhaps /etc/mtab - /var/etc/mtab. For the most part the Linux/UNIX file system is broken up into well defined areas, but alas, exceptions need to be dealt with. Resources to help with the exceptions I am mounting /tmp as a ramfs, all of these items can go there. I am trying to minimize introduction of non-rhel / centos packages and minimized deviation from modifications outside of the packages. So this will eliminate UnionFS as an option. Current idea about /var/log is to setup syslog to output over some port (tcp, udp, serial, etc...) Brett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Fri, 2008-05-02 at 15:38 +0200, Ralph Angenendt wrote: Brett Serkez wrote: On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as linux file system hardening. What do you do with /etc/mtab - where the system clearly wants to write into when you mount/unmount stuff? ln -s /proc/mounts /etc/mtab There are some gotchas if you have some loopback mounts instituted by the mount command. Since /proc/mounts is a symlink to self-mounts, maybe pointing directly there would work too. Cheers, Ralph snip sig stuff HTH -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: AW: RE: [CentOS] read only root file system
On Fri, 2008-05-02 at 19:22 +0200, Marc Rebischke wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? I built a diskless, CD-based firewall some time ago which works fine. Of course you still need some writable directories, i.e. /var/run, /var/lock, /var/lib/dhcpd, /var/named, /tmp, /var/empty/sshd/etc and /var/net-snmp. This can be achieved by using layered filesystems and a ramdisk. If you want to follow that path, I'd recommend using aufs, see http://aufs.sourceforge.net Well, i tried two possibilities years ago.. 1.) : There are SCSI-Disks with jumpers for Write Protect , so you have a real Hardware write-protection. which would work as good as using a CD. 2.) : Have a look at (Open)BSD's Immutable Flag-Feature. (Well, i hope you all love OpenBSD?) ;-) Butdon't get nervous while setting up the box... There is an immutable flag for ext2/3 (see setfattr(1)), but it can easily be removed once root access is gained, so I'd not recommend it. Host-based intrusion detection systems (integrit, aide, tripwire) can help you discover any manipulations, but I'd go for a CD or write-protected disks to be on the safe side. Regards, Torsten ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] read only root file system
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron [EMAIL PROTECTED] wrote: I am looking at having a read only box, it will not use a swap partition. Any recommendations? Here is a slide deck from a presentation Rick Troth has done on read only root file systems. http://linuxvm.org/present/SHARE110/S9216rt.pdf Might be some helpful bits of information in there for you. Good luck! Jeffrey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos