Re: Is it possible to setup read-only root ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Reindl Harald wrote:



Am 01.07.2012 19:08, schrieb Joe Zeff:

On 07/01/2012 10:01 AM, John Wendel wrote:

Is it possible to setup Fedora, using Fedora provided tools/software,
with a read-only root partition?

There's an ancient wiki entry from the FC6 days that indicates that some
work was done, but I would assume that this depended on the SysV init
system. I've haven't seen any mention of read-only root setup with systemd.

Any clues would be greatly appreciated.



If I'm not mistaken, /var needs to be on that partition and needs to be writable.


it is not uncommon to have /var on a own partition


If so, then you can't have a
read-only root partition.


it works, but be really carefull


And, just so we all know where we're going here, why would you want to?


in theory more security

imagine a root-exploit changing a system binary
much more difficult if the rootfs is readonly
Not clear if that really would help or not, setting attribute immutable on selected things makes them pretty bulletproof, although for the projected use I doubt it would be an issue.
The problem is that Linux doesn't support a overlay filesystem, sort of like copy on write, but at the inode level. That will allow you to "change" files all you want, but the working copy goes elsewhere.
I run tests using COW copies of disk images, so the original can be shared and will remain unchanged. I bet a system using a cheap flashcard for root doesn't have a VM capable CPU, or the root could be tiny and the app could run in a throwaway VM, recreated at boot time. 

See: qemu-img create -b real.img -f qcow2 single-use.img
Booting off the copy will put changes in an image which can be discarded, or you can run multiple VMs off a single image. 


--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot


--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux