OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] /-Root-FS: Readonly?
From: Stefan Bauer (sbauerwb-lorenz.de)
Date: Tue Jun 27 2000 - 06:57:23 CDT


Roman Drahtmueller schrieb:
>

Hi Roman,

>
> Hi Stefan,
>
> A write attempt to some device file on a read-only mounted filesystem is
> legitimate and should be successful as long as no filesystem changes are
> involved. If you consider a device file a "hole" in the filesystem, this
> behaviour might be more transparent to you.
>

That is, what I thought that would happen, but I got the log-messages
...

> The problem is that mingetty tries to chown(2) and chmod(2) the device

Ah, I didn't know of that. Now it's clear to me, what happens.

> file. You'd have to ensure that these non-ro operations are successful.
> This can be done by mounting a ramdisk over /dev soon after the kernel
> boot, and before /dev/pts is mounted. The next step would be to unpack a
> tarfile into that new ramdisk so that the device files are fully available
> when other processes open them later. It is imperative that this happens
> while no other process is running that could feel like opening a device
> file which isn't there yet.
>

Good advice. I'll give it a try.

> With some tweaking it is very well possible to have a read-only root-fs.
> But if you use this feature for security reasons, you also have to make
> sure that write access to the raw device is not possible either - a disk

Oh thanks, I haven't thougt about raw devices in this context.

> seems useless under these circumstances. Once it's finished, burn the ext2
> filesystem on a CD and boot from it.
>

Hmmm, sounds good.

Thanks, Roman, now I think I can get running in the way I want it.

Bye

-- 

Stefan Bauer

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com