Read-only /

[Eidi]

I've been wanting to build a dedicated server box for a while, but I've been thinking about how to secure it. I've read parts of the SELinux handbook, but I don't remember them touching on having a readonly / in the /etc/fstab sections.

On a webserver, all that would need to be written to is various log files and /var for hosting an Email server and WordPress. Possibly config files in /etc too. At least, that's how I understand it. I could put those parts on seperate partitions and have everything else read only. The security benefits are obvious, but am I overlooking something? Am I totally misunderstanding what needs to be written to? Would other things need to be written to besides what I mentioned above?

I'd also like to someday do this with my router box, only log files would be written to as far as I can tell.

I'm sorry if this is a stupid question and has been asked many times before, but it doesn't seem to be too common an idea except for LiveCDs from searching. If I have this totally wrong, please correct me.

Thanks!

[NeddySeagoon]

Eidi,

/etc must be on the root partition or /etc/fstab cannot be read. The only file in /etc/ that needs to be written is mtab.
Do what embedded systems do, for read only roots. make /etc/fstab a symlink to /proc/mounts.

Don't stray too far from the Linux Filesystem Heirarchy - you will get a box that can't boot.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Mankane]

[Eidi]

So... Hmm... Well, what if I had a /etc/ on the root partition, but it only contained fstab, and then had another /etc/ that mounted over the top of it later on?

I did something like this with my home partition on my main box, kinda. Doesn't seem to have caused any side effects, except I lose some disk space.

Thanks for the info. I may still try something like this, just for added security, assuming it can even work...

[NeddySeagoon]

Mankane,

Oops, yes!

You will have to mount root rw to add users, change passwords and so on ...
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Eidi]

Ok, I'll set it all up first, and then mount it read only.

Thanks for the info guys.

[adsmith]

I'm considering doing something similar, though for different reasons.

Does "ln -sf /proc/mounts /etc/mtab" give problems on mounting, or do gentoo's startup scripts deal nicely with the "-n" option on mount?

[NeddySeagoon]

adsmith,

You may get errors about not being able to update /etc/mtab but the mount will still work.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[wildhorse]

Maybe it works, maybe not.

FUSE does not mount a fuse-based file system, if euid is equal 0 (root) and /etc/mtab is not writeable. FUSE simply fails. Neither does FUSE know the option -n. In fact it fails if the option -n is present. It is possible to compile fusermount.c with -DIGNORE_MTAB, but that is not a good option either.

The whole concept of /etc/mtab is legacy.

[broken_chaos]

To avoid problems like that, you could also just link /etc/mtab to somewhere that is rw, instead of directly to /proc/mounts.

[NeddySeagoon]

wildhorse,

Beware of broken_chaoss' suggestion. The 'somewhere' needs to be mounted before /etc/mtab is written, the startup scripts may not do that. Consider the sequence
mount root
write /etc/mtab to say root is mounted - breaks because mtab is not mounted
mount someplace
wite /etc/mtab to say someplace is mounted - woeks
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[wildhorse]

I have looked into /sbin/rc and the rest of the startup procedure. The whole idea of updating /etc/mtab is DOA.