Page 5 of 5 FirstFirst ... 345
Results 41 to 48 of 48

Thread: Read Only Root disk

  1. #41
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk


    > I don't understand. It is your job to install Oracle, not theirs. If they
    > are root, they are responsible and it is their systems, not yours anymore.


    The downside of a large company. We have some 10 groups who all are responsible for their own product. In their opinion (not mine) that includes installing their product. Trying to change that is like moving a mountain. One reason for a full read only system, other than to secure the system, is to enforce them to handover installation instructions and/or installscripts for us to execute.

    Regards, Berry.

  2. #42
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Quote Originally Posted by gogalthorp View Post
    If I have root I can umount a ro partition and remount rw so I don't understand the problem.

    Seems to me that it much simpler to simply not give users root and install additional stuff on request by a trusted tech.

    Another thing is the OpenSUSE by the fact a new version is released about every 6 months and support stops in about 18 months is not normally suitable for a Enterprise environment.
    The problem at hand is just that the / can be remounted. I'd like to prevent write access all together. In my virtual systems I'm able to do so, now I'm looking to do the same in a PC, if possible.

    As for give root access, see previous posting, try moving a mountain...

    Agreed, OpenSuse is not for production, it's just proof of concept in a PC system. I might as well have taken SLES but I have OpenSuse at home already available.

    Regards, Berry.

  3. #43
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Quote Originally Posted by hcvv View Post
    And in the end it is of course "only" an organisational problem.

    There is only one person/department responsible for system management. And it is only that person/department that has root access. When your management does not accept that, you better look for another job.

    I know it is a hard battle. but you are the system manager, you are the expert. You should of course also try to provide as good a service as possible to Database Adminisrators, etc. But you have your resposabilities and they have theirs. When your management does not accept this, they will fail any security assesment from outside.


    I couldn't agree more.

    Regards, Berry.

  4. #44
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk


    > There are no "extentions" of fsck. fsck is the general program.

    > Of course there is an fsck dedicated to every type of file system. Every file system type has it's own inernal structure and fsck has the task to check that structure and eventaly repair it. Thus every file system type comes with it's own fsck version (made by the designers of that type of file system).


    Sorry for the confusion, extentions was the wrong word here. Yes, I know extentions are not in use as we have in that *other* filesystem.

    Perhaps this is about semantics. Yes, the parameter is a partition and usually there is a filesystem in that partition. fsck identifies the filesystem and executes the check for that particular filesystem. But I expect fsck cannot check an empty partition (no fs) or an unsupported filesystem. Other than perhaps check the configuration found in the partition table. When using lvm fsck doesn't check the particular partition but the filesystem that is included in the lvm. So I conclude from that that fsck doesn't check the partition but the filesystem.

    Anyway, in the case I'm looking at we not only mount the filesystem read-only, we even want the partition to be read-only. But that proves to be the challenge. As fsck is concerned, it doesn't really matter if it runs or not. Since the filesystem will not change the fsck will never attempt to write to it.

    Regards, Berry.

  5. #45
    Join Date
    Jun 2008
    Location
    Kansas City Area, Missouri, USA
    Posts
    7,235

    Default Re: Read Only Root disk

    On 05/05/2012 09:56 AM, berryvansleeuwen wrote:
    >
    >> I don't understand. It is your job to install Oracle, not theirs. If

    > they
    >> are root, they are responsible and it is their systems, not yours

    > anymore.
    >
    >
    > The downside of a large company. We have some 10 groups who all are
    > responsible for their own product. In their opinion (not mine) that
    > includes installing their product. Trying to change that is like moving
    > a mountain. One reason for a full read only system, other than to secure
    > the system, is to enforce them to handover installation instructions
    > and/or installscripts for us to execute.


    Put them on a VM with two virtual disks. The one with root on it can be made ro
    on the host, which is the equivalent of the external switch. The second VD will
    be the normal rw. Each of your groups can have its own VM, but the root disk can
    be shared.




  6. #46
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,143

    Default Re: Read Only Root disk

    I am afraid that I am not clear enough and thus you do not understand my point.

    First, when I talk about partition, I in fact mean any type of container where you can put a file system in. That includes: whole disks, disk partitions, logical vulumes, etc. fsck acts (reads/writes) on those using the block device special file of the container. And thus, the ownership and access bits of the block device special files dictate what fsck can do (and NOT if and how the correcponding file system is mounted).

    fsck is only a wrapper around the several dedicated fsck.<file-system-type> programs on your system.

    fsck does NOT check anything in the partition table, it does not even use it.

    You (root) can of course remove the access bits for writing from the device special file (and when you want to do that a.s.a.p. after boot, I guess you should do that in makng appropriate udev rules), but again, root (and that in youre case seems to means almost everybody) can undo that again.

    Main reason of your problem is you organisation (or lack of it). And when you say that it is a large organisation, it seems not to be large enough to have proper (ICT) security management in place.

    IMHO you only can get a technical solution for this problem by designing a new operating system (when at all possible, managers are notorious for not being able to define an exact whish, and what is not defined exact, you can not program).
    Henk van Velden

  7. #47
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-05 18:36, hcvv wrote:
    > Main reason of your problem is you organisation (or lack of it). And
    > when you say that it is a large organisation, it seems not to be large
    > enough to have proper (ICT) security management in place.


    IMO, if the teams need to install their applications, and for that the need
    root, then they need to have a qualified system administrator in the team,
    that's all. Making the filesystem read only will only **** them. Or impede
    their working, in polite terminology.

    The job of IT is not only to secure the systems, it is to facilitate the
    jobs of the teams, at their service. The goal is the teams, not the IT.


    In simpler words: we do not setup a computer because we love computers, but
    because we need to write letters. The goal is writing those letters. Or
    whatever.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  8. #48

    Default Re: Read Only Root disk

    berryvansleeuwen wrote:
    > Indeed, root shouldn't be needed. But as mentioned, some do not agree.
    > Try installing Oracle or DB2. Or rather, others want to install it and
    > complain we do not open up our system. In the end the manager forces us
    > to assign full access. And later on complain to us when the system has
    > been messed up by the root user. Even Yast usually requires root. Not a
    > problem when I should do something but it is a problem when a DBA or
    > network guru has the ability to switch to root and go outside his
    > responsibilities. Anyway, that discussion is somewhat off-topic. It's
    > not so much preventing root access as it is preventing anyone, root
    > included, to change the base coding at will.


    Does sudo help you? If you configure the system like ubuntu, without a
    root account, and use sudo for all root access then:
    (1) you can access the sudo logs to see what commands were executed e.g.
    whilst installing Oracle.
    (2) you can give fairly precise permissions to individual admins, so
    they have just enough power to do their job.

    Obviously, they can circumvent such protection if they have physical
    control of the machine, but it is clearly a deliberate breach.

    Another approach might be to give them a 'clean' system, then
    snapshot/backup the system after their install and do a diff against a
    'clean' reference. That at least would tell you if they had forgotten to
    record any changes.

Page 5 of 5 FirstFirst ... 345

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •