[lug] Protecting filesystems [Was: R00tKIT!! Raah!]
jeff at neobox.net
Tue Jun 14 21:33:28 MDT 2005
> How do you get around /etc needing to be rw? It's not absolutely
> critical, but it breaks a lot of stuff if it isn't. (E.g.,
> /etc/mtab can't be updated, among others.)
You could symlink /etc/mtab to /proc/mounts.
I've tried mounting / read-only before, but find that adding a user or
changing a minor configuration item then becomes a tedious chore
because you have to remount read-write, make the change, remount
I've considered linking /etc to, say, /var/etc (or something) but that
causes problems at boot time because the other partitions aren't yet
mounted. Around and around we go...
> > /tmp & /var are symlinked to /data/tmp and /data/var respectively
> Why not 'mount -ttmpfs none /tmp', and using separate data
> partitions under /var?
My experience with tmpfs has been mixed. While it's great because it's
memory-only (using no disk space, and wiped at reboot), every now and
then some process will need a LOT of temp space and will chew through
the 64MB I've allocated. Sure I could allocate 256MB or whatever, but
then I risk consuming RAM and forcing the system to swap. Ugh.
The bottom line, for me, is to use tmpfs for systems that aren't
high-load or require a lot of churn in the /tmp directory. YMMV.
More information about the LUG