Date: 18 Sep 2002 22:57:31 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: freebsd-questions@freebsd.org Subject: Re: Monunting /etc read-only was Re: mount read only ... Message-ID: <441y7q3cv8.fsf@be-well.ilk.org> In-Reply-To: <5.1.0.14.0.20020918181508.00bc9da0@mail.lusidor.com> References: <5.1.0.14.0.20020918121808.00be1e30@mail.lusidor.com> <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu> <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu> <5.1.0.14.0.20020918121808.00be1e30@mail.lusidor.com> <5.1.0.14.0.20020918181508.00bc9da0@mail.lusidor.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jimmy Lantz <jimmy.lantz@lusidor.com> writes: > At 11:18 2002-09-18 -0400, you wrote: > >Jimmy Lantz <jimmy.lantz@lusidor.com> writes: > > > > > ><snip> > > > > > I'm looking for away to write protect > > > > > some files whats the pros and cons > > > > > with having the file on a seperate partition and mount that read-only > > > > > or use the chflags schg and go to kernel security level 2? > > > > > > > >*Either* way you probably want to raise the security level. A > > > >read-only mount doesn't help if it can be re-mounted writeable. If > > > >the files *have* to be in the same directory with writeable files (as > > > >for many systems is true of /etc), schg can be a very good solution. > > > What in /etc needs to writeable? I was just thinking to mount it read-only. > > > >That's perfectly possible; you just have to work on it a bit, > >especially if you have a large user base. > > Would you care to elaborate on this one? What would need work? > The system in question will only have one wheel user login via SSH, > ther rest is only deamons or nobody. > Is there a FAQ/HOWTO/ or any online info cause google turns up nill on > the topic? I'm starting to get the feeling I'm doing someone's homework for them, but here goes anyway. The only significant issue with /etc is the password file. If you arrange your environment to avoid changes to it, you can run with a read-only /etc. You would also want to run at securelevel 2, because you won't get much gain from a read-only filesystem if it can be changed to read-write easily. Therefore, any changes to the system configuration will involve a reboot. What gets trickier is running with a read-only /usr. There's a whole section on that in the handbook, but that is less of a security issue than one of being able to share the filesystem between systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441y7q3cv8.fsf>