|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [suse-security] /-Root-FS: Readonly?
From: Stefan Bauer (sbauer
wb-lorenz.de)Date: Tue Jun 27 2000 - 06:57:23 CDT
- Next message: rhoerbenetpromote.co.at: "Re: [suse-security] qpopper and APOP (starting to bore, ah?!)"
- Previous message: Takács Attila: "RE: [suse-security] Auditing software for Squid"
- In reply to: Roman Drahtmueller: "Re: [suse-security] /-Root-FS: Readonly?"
- Next in thread: Kurt Seifried: "Re: [suse-security] /-Root-FS: Readonly?"
- Reply: Stefan Bauer: "Re: [suse-security] /-Root-FS: Readonly?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Roman Drahtmueller schrieb:
>
Hi Roman,
>
> Hi Stefan,
>
> A write attempt to some device file on a read-only mounted filesystem is
> legitimate and should be successful as long as no filesystem changes are
> involved. If you consider a device file a "hole" in the filesystem, this
> behaviour might be more transparent to you.
>
That is, what I thought that would happen, but I got the log-messages
...
> The problem is that mingetty tries to chown(2) and chmod(2) the device
Ah, I didn't know of that. Now it's clear to me, what happens.
> file. You'd have to ensure that these non-ro operations are successful.
> This can be done by mounting a ramdisk over /dev soon after the kernel
> boot, and before /dev/pts is mounted. The next step would be to unpack a
> tarfile into that new ramdisk so that the device files are fully available
> when other processes open them later. It is imperative that this happens
> while no other process is running that could feel like opening a device
> file which isn't there yet.
>
Good advice. I'll give it a try.
> With some tweaking it is very well possible to have a read-only root-fs.
> But if you use this feature for security reasons, you also have to make
> sure that write access to the raw device is not possible either - a disk
Oh thanks, I haven't thougt about raw devices in this context.
> seems useless under these circumstances. Once it's finished, burn the ext2
> filesystem on a CD and boot from it.
>
Hmmm, sounds good.
Thanks, Roman, now I think I can get running in the way I want it.
Bye
--Stefan Bauer
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe
- Next message: rhoerbenetpromote.co.at: "Re: [suse-security] qpopper and APOP (starting to bore, ah?!)"
- Previous message: Takács Attila: "RE: [suse-security] Auditing software for Squid"
- In reply to: Roman Drahtmueller: "Re: [suse-security] /-Root-FS: Readonly?"
- Next in thread: Kurt Seifried: "Re: [suse-security] /-Root-FS: Readonly?"
- Reply: Stefan Bauer: "Re: [suse-security] /-Root-FS: Readonly?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]