Date: Thu, 21 Dec 2000 23:11:20 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: David Pick <D.M.Pick@qmw.ac.uk> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221231120.F96105@149.211.6.64.reflexcom.com> In-Reply-To: <E1494zh-0007HA-00@xi.css.qmw.ac.uk>; from D.M.Pick@qmw.ac.uk on Thu, Dec 21, 2000 at 12:38:49PM %2B0000 References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> <E1494zh-0007HA-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 21, 2000 at 12:38:49PM +0000, David Pick wrote: > > > The only way I could think of to do his securely in the current > > implementation is to chflags most of the etc dir (with the exception > > of files that did need to be cahnged like passwd master.passwd > > aliases, etc.).. mainly the rc files.. but this makes administering > > remotely a pain in the ass.. Of course, security in many cases comes > > with a hassle factor. > > Some years ago I was running a RISCiX system and wanted to use > it in a number of different locations on the network. I set up > a slightly unusual disc structure as follows: > 1) The / filesystem was mounted read-only - permamently > 2) There was no separate /usr filesystem > 3) For each of the "changeable" files there was a symbolic > link of the form: /etc/passwd -> /config/etc/passwd Just a note, symlinks won't work with FreeBSD's passwd(1). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001221231120.F96105>