Read-only /

Message

Eidi · Post by **Eidi** » Tue Feb 21, 2006 8:56 pm

I've been wanting to build a dedicated server box for a while, but I've been thinking about how to secure it. I've read parts of the SELinux handbook, but I don't remember them touching on having a readonly / in the /etc/fstab sections.

On a webserver, all that would need to be written to is various log files and /var for hosting an Email server and WordPress. Possibly config files in /etc too. At least, that's how I understand it. I could put those parts on seperate partitions and have everything else read only. The security benefits are obvious, but am I overlooking something? Am I totally misunderstanding what needs to be written to? Would other things need to be written to besides what I mentioned above?

I'd also like to someday do this with my router box, only log files would be written to as far as I can tell.

I'm sorry if this is a stupid question and has been asked many times before, but it doesn't seem to be too common an idea except for LiveCDs from searching. If I have this totally wrong, please correct me.

Thanks!

Post by **NeddySeagoon** » Tue Feb 21, 2006 9:01 pm

Eidi,

/etc must be on the root partition or /etc/fstab cannot be read. The only file in /etc/ that needs to be written is mtab.
Do what embedded systems do, for read only roots. make /etc/fstab a symlink to /proc/mounts.

Don't stray too far from the Linux Filesystem Heirarchy - you will get a box that can't boot.

Mankane · Post by **Mankane** » Thu Feb 23, 2006 3:38 am

Do what embedded systems do, for read only roots. make /etc/fstab a symlink to /proc/mounts.

Did you mean make /etc/mtab a symlink to /proc/mounts?

Charlie

Eidi · Post by **Eidi** » Thu Feb 23, 2006 4:23 am

So... Hmm... Well, what if I had a /etc/ on the root partition, but it only contained fstab, and then had another /etc/ that mounted over the top of it later on?

I did something like this with my home partition on my main box, kinda. Doesn't seem to have caused any side effects, except I lose some disk space.

Thanks for the info. I may still try something like this, just for added security, assuming it can even work...

Post by **NeddySeagoon** » Thu Feb 23, 2006 5:59 pm

Mankane,

Oops, yes!

You will have to mount root rw to add users, change passwords and so on ...

Eidi · Post by **Eidi** » Fri Feb 24, 2006 8:42 pm

Ok, I'll set it all up first, and then mount it read only.

Thanks for the info guys.

adsmith · Post by **adsmith** » Wed Mar 01, 2006 1:49 pm

I'm considering doing something similar, though for different reasons.

Does "ln -sf /proc/mounts /etc/mtab" give problems on mounting, or do gentoo's startup scripts deal nicely with the "-n" option on mount?

Post by **NeddySeagoon** » Wed Mar 01, 2006 8:52 pm

adsmith,

You may get errors about not being able to update /etc/mtab but the mount will still work.

wildhorse · Post by **wildhorse** » Sat Apr 08, 2006 2:30 am

Maybe it works, maybe not.

FUSE does not mount a fuse-based file system, if euid is equal 0 (root) and /etc/mtab is not writeable. FUSE simply fails. Neither does FUSE know the option -n. In fact it fails if the option -n is present. It is possible to compile fusermount.c with -DIGNORE_MTAB, but that is not a good option either.

The whole concept of /etc/mtab is legacy.

broken_chaos · Post by **broken_chaos** » Sat Apr 08, 2006 5:40 am

To avoid problems like that, you could also just link /etc/mtab to somewhere that is rw, instead of directly to /proc/mounts.

Post by **NeddySeagoon** » Sat Apr 08, 2006 9:56 am

wildhorse,

Beware of broken_chaoss' suggestion. The 'somewhere' needs to be mounted before /etc/mtab is written, the startup scripts may not do that. Consider the sequence
mount root
write /etc/mtab to say root is mounted - breaks because mtab is not mounted
mount someplace
wite /etc/mtab to say someplace is mounted - woeks

wildhorse · Post by **wildhorse** » Sat Apr 08, 2006 6:22 pm

I have looked into /sbin/rc and the rest of the startup procedure. The whole idea of updating /etc/mtab is DOA.