[lug] Protecting filesystems [Was: R00tKIT!! Raah!]

Jeff Schroeder jeff at neobox.net
Tue Jun 14 21:33:28 MDT 2005

Bear asked:

> How do you get around /etc needing to be rw?  It's not absolutely
> critical, but it breaks a lot of stuff if it isn't.  (E.g.,
> /etc/mtab can't be updated, among others.)

You could symlink /etc/mtab to /proc/mounts.

I've tried mounting / read-only before, but find that adding a user or 
changing a minor configuration item then becomes a tedious chore 
because you have to remount read-write, make the change, remount 
read-only... sigh.

I've considered linking /etc to, say, /var/etc (or something) but that 
causes problems at boot time because the other partitions aren't yet 
mounted.  Around and around we go...

> > /tmp & /var are symlinked to /data/tmp and /data/var respectively
> Why not 'mount -ttmpfs none /tmp', and using separate data
> partitions under /var?

My experience with tmpfs has been mixed.  While it's great because it's 
memory-only (using no disk space, and wiped at reboot), every now and 
then some process will need a LOT of temp space and will chew through 
the 64MB I've allocated.  Sure I could allocate 256MB or whatever, but 
then I risk consuming RAM and forcing the system to swap.  Ugh.

The bottom line, for me, is to use tmpfs for systems that aren't 
high-load or require a lot of churn in the /tmp directory.  YMMV.


More information about the LUG mailing list