From owner-freebsd-questions Wed Sep 18 19:57:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0E1137B401 for ; Wed, 18 Sep 2002 19:57:33 -0700 (PDT) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBC2143E6A for ; Wed, 18 Sep 2002 19:57:32 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by be-well.ilk.org (8.12.6/8.12.5) with ESMTP id g8J2vWLm015250 for ; Wed, 18 Sep 2002 22:57:32 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.6/8.12.6/Submit) id g8J2vWhW015247; Wed, 18 Sep 2002 22:57:32 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f To: freebsd-questions@freebsd.org Subject: Re: Monunting /etc read-only was Re: mount read only ... References: <5.1.0.14.0.20020918121808.00be1e30@mail.lusidor.com> <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu> <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu> <5.1.0.14.0.20020918121808.00be1e30@mail.lusidor.com> <5.1.0.14.0.20020918181508.00bc9da0@mail.lusidor.com> From: Lowell Gilbert Date: 18 Sep 2002 22:57:31 -0400 In-Reply-To: <5.1.0.14.0.20020918181508.00bc9da0@mail.lusidor.com> Message-ID: <441y7q3cv8.fsf@be-well.ilk.org> Lines: 37 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jimmy Lantz writes: > At 11:18 2002-09-18 -0400, you wrote: > >Jimmy Lantz writes: > > > > > > > > > > > I'm looking for away to write protect > > > > > some files whats the pros and cons > > > > > with having the file on a seperate partition and mount that read-only > > > > > or use the chflags schg and go to kernel security level 2? > > > > > > > >*Either* way you probably want to raise the security level. A > > > >read-only mount doesn't help if it can be re-mounted writeable. If > > > >the files *have* to be in the same directory with writeable files (as > > > >for many systems is true of /etc), schg can be a very good solution. > > > What in /etc needs to writeable? I was just thinking to mount it read-only. > > > >That's perfectly possible; you just have to work on it a bit, > >especially if you have a large user base. > > Would you care to elaborate on this one? What would need work? > The system in question will only have one wheel user login via SSH, > ther rest is only deamons or nobody. > Is there a FAQ/HOWTO/ or any online info cause google turns up nill on > the topic? I'm starting to get the feeling I'm doing someone's homework for them, but here goes anyway. The only significant issue with /etc is the password file. If you arrange your environment to avoid changes to it, you can run with a read-only /etc. You would also want to run at securelevel 2, because you won't get much gain from a read-only filesystem if it can be changed to read-write easily. Therefore, any changes to the system configuration will involve a reboot. What gets trickier is running with a read-only /usr. There's a whole section on that in the handbook, but that is less of a security issue than one of being able to share the filesystem between systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message