Re: Set up root partition as read only.
On Friday 14 April 2006 22:17, you wrote: To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. That won't increase your security level much, but if you really want to make / read-only, there is more involved. (I recently did this on a machine with a flash drive instead of a standard hard drive in order to save wear on the flash.) To start with, read and understand /etc/rc and mfs(8). Convert /dev and /var to be on memory file systems (pay attention to -P in mfs(8)). Then edit /etc/rc and comment out the lines that mount /, /usr, and /var, and the lines that rewrite /etc/resolv.conf. If you need more information than this, Google is your friend. I also have a more detailed HOWTO-style document that i wrote that i would be willing to share off-list, though you might learn more if you do your own research instead. Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: Set up root partition as read only.
On Saturday 15 April 2006 11:17, Joco Salvatti wrote: To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. /etc/fstab follows: While there are advantages of read-only / security isnt one of them. If you still want to do this be aware that you need to do some minor modifications to /etc/rc to get it to work and you'll also need to use a separate partition (preferably mfs) for /dev, with all the implications that has (need to create devices on boot, etc). To sum it up, while read-only / is possible it's no walk in the park and you should take the time to understand the OpenBSD startup process before attempting it. --- Lars Hansson
Re: Set up root partition as read only.
* Jo?o Salvatti [EMAIL PROTECTED] [2006-04-15 05:23]: To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. eh.. yeah. sure. I'll leave the debate wether that makes sense out (it doesn't) After rebooting my system I tested to check whether these settins were applied correctly: # cd / # touch test When I ran ls the 'test' file was there. I mean, the ro flag that I had added to my root partition had no effect. Has anyone ever faced this? see /etc/rc mount -uw / # root on nfs requires this, others aren't hurt -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Set up root partition as read only.
Hi all, To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. /etc/fstab follows: /dev/wd0a / ffs ro,softdep 1 1 /dev/wd0g /home ffs rw,softdep,nodev,nosuid,noexec 1 2 /dev/wd0f /tmp ffs rw,softdep,nodev,nosuid,noexec 1 2 /dev/wd0d /usr ffs rw,softdep,nodev 1 2 /dev/wd0e /var ffs rw,softdep,nodev,nosuid,noexec 1 2 After rebooting my system I tested to check whether these settins were applied correctly: # cd / # touch test When I ran ls the 'test' file was there. I mean, the ro flag that I had added to my root partition had no effect. Has anyone ever faced this? Thanks. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: Set up root partition as read only.
Joco Salvatti wrote: Hi all, To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. /etc/fstab follows: Me, I just lurk here but: 1) if having / ro would actually improve security, they would have done so long ago. 2) There are probably essential reasons why / cannot be read-only on a useable system. Involving /etc, maybe. You maybe can get the desired effect if you make / small enough so there isn't room to write anything else. /dev/wd0a / ffs ro,softdep 1 1 /dev/wd0g /home ffs rw,softdep,nodev,nosuid,noexec 1 2 /dev/wd0f /tmp ffs rw,softdep,nodev,nosuid,noexec 1 2 /dev/wd0d /usr ffs rw,softdep,nodev 1 2 /dev/wd0e /var ffs rw,softdep,nodev,nosuid,noexec 1 2 After rebooting my system I tested to check whether these settins were applied correctly: # cd / # touch test When I ran ls the 'test' file was there. I mean, the ro flag that I had added to my root partition had no effect. Has anyone ever faced this? Thanks. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: Set up root partition as read only.
On 4/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Me, I just lurk here but: 1) if having / ro would actually improve security, they would have done so long ago. 2) There are probably essential reasons why / cannot be read-only on a useable system. Involving /etc, maybe. it causes problems unless you hack up /etc/rc in a big way. I had boxen i did this on - firewalls with filesystems on CF so fsck was a pain - but there were a lot of changes needed. In the end, it didn't win me enough, so I just went back to rw / ... When I ran ls the 'test' file was there. I mean, the ro flag that I had added to my root partition had no effect. Has anyone ever faced this? read /etc/rc. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
