Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 48

Thread: Read Only Root disk

  1. #11
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: Read Only Root disk

    This is what I found:
    Code:
    ro        [KNL] Mount root device read-only on boot
    Thus it is only on boot. Nowhere any mentioning of blocking later mounting in another way. Would be rather strange in any case because depending on what is in the root partition, every system configuration change and even a security update would be made impossible.

    I do not completely understand what you try to achieve and why. But to me it seems that you have "authorised users" (authorised to do what?) that shouldn't be. The Unix/Linux principle is clear: a user can/may not change the system, only root can/may. This is independent of the fact if you like that principle. Thus either you trust somebody to be root (and preferable implement some checking of accountability) or you don't.

    Using sudo for some exceptions is possible, but they must be exceptions and well thought over and implemented. And not to much of them because they then become unmanagable.
    Henk van Velden

  2. #12

    Default Re: Read Only Root disk

    hcvv wrote:
    > I do not completely understand what you try to achieve and why. But to
    > me it seems that you have "authorised users" (authorised to do what?)
    > that shouldn't be. The Unix/Linux principle is clear: a user can/may not
    > change the system, only -root- can/may. This is independent of the fact
    > if you like that principle. Thus either you trust somebody to be -root-
    > (and preferable implement some checking of accountability) or you don't.


    Exactly. You either must impose technical security (prevent spys etc),
    which means the users can't be root, or else you impose human security
    (have the organization work efficiently), which means codes of conduct
    and firing people who don't follow the rules.

    > Using -sudo- for some exceptions is possible, but they must be
    > exceptions and well thought over and implemented. And not to much of
    > them because they then become unmanagable.


  3. #13
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-04 15:06, berryvansleeuwen wrote:
    >
    > Yes, the link works fine, but in bugzilla it asks for a registration
    > code.


    It doesn't here. However, the login/password is the same as for the forums.
    If it ask for registration, your browser is broken.

    >
    > Creating an ISO image sounds interesting, maybe I can try that.


    The difficulty will then be mounting /var r/w.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  4. #14
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    OK, look at it the other way, why would the / disk be mounted read-only at boot, only to remount it writable later on? If the boot parameter is set to RO shouldn't there be a reason for that? Because it is a read-only disk (such as an ISO) or because we want to prevent write access other than after a reboot and selecting the writable menu option?

    Indeed, an update for whatever reason is impossible. That's the goal. Whenever an update is required it is changed once in the baseline and then distributed in a controlled way. Changes are only allowed after testing and approval. This way we can ensure only a tested configuration will be enrolled and we can provide proof to auditors for that. As a bonus, migrations are so much easier this way.

    In a way this is technical security. On the one hand prevent someone to gain (root)access to the machine. But if someone does, either by accident or on purpose, make sure he can't do any harm anyway.

    Indeed, the best way would be to have as few root users in the system as possible. But some groups do not agree, even some software vendors do not agree.

    Regards, Berry.

  5. #15
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Why would it be hard to mount /var? The /var is a seperate partition, just as /tmp and /srv. So we can just mount that on the var directory in the read-only /.

    Regards, Berry.

  6. #16
    Join Date
    Jun 2008
    Location
    Kansas City Area, Missouri, USA
    Posts
    7,235

    Default Re: Read Only Root disk

    On 05/04/2012 10:36 AM, berryvansleeuwen wrote:
    >
    > OK, look at it the other way, why would the / disk be mounted read-only
    > at boot, only to remount it writable later on? If the boot parameter is
    > set to RO shouldn't there be a reason for that? Because it is a
    > read-only disk (such as an ISO) or because we want to prevent write
    > access other than after a reboot and selecting the writable menu option?


    You may just have pointed to the Achilles heel of your argument. Is not the /
    partition initially mounted read-only so that it can be ******? If that is true,
    then at least that utility can write to a RO disk. I think you need the external
    write-lock switch.



  7. #17
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Why would that be the Achilles heel? If it's a read-only disk, there are never changes to the disk. So no open files or orphan inodes. Therefore a fsck is not needed for the disk and is disabled. Indeed, that utility could decide to write to the disk, so it is even not allowed for that disk. IIRC the boot.rootfsck and boot.localfs in OpenSuse 12 even skip the fsck if the root disk is (to be) mounted read-only.

  8. #18
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: Read Only Root disk

    fsck is working reading/writing on the partition, not on the file system. You should in principle run fsck on the unmounted file system to be sure there are no changes to the file system during checking. Of course there are also no changes when mounted ro. But the important thing here is that fsck does basicaly not care about it being mounted ro or not, it has nothing to do with that.
    Henk van Velden

  9. #19
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,987
    Blog Entries
    14

    Default Re: Read Only Root disk

    Am I wrong in thinking that you would need a reboot, i.e. downtime on any required change to the system?
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  10. #20
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-04 18:56, berryvansleeuwen wrote:
    > IRC the boot.rootfsck and boot.localfs in OpenSuse 12 even skip
    > the fsck if the root disk is (to be) mounted read-only.


    No, it doesn't.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •