Re: BoS: amodload.tar.gz - dynamic SunOS modules

[Markus.Zellner () anu edu au (Markus Zellner)]

der Mouse writes:
> > With writeable CDROM drives around $700, has anybody considered
> > setting up their system [...] and then backing the disk to WCDROM?
> As someone else pointed out, all that does is speed up recovery; it
> doesn't harden the system against attacks any.
>
> What _will_ help is to make your boot disk physically read-only.  I
> have tried this with SunOS 4.1.x and NetBSD (with NFS-mounted root, not
> a real disk that's write protected, but the issues are the same).  The
> latter is relatively easy; the former is much harder but I think would
> be doable with a couple of binary patches to programs like mount that
> pigheadedly insist on writing into /etc.

I have wondered about how to set up a system with a read only / and /usr
partition, but as you say things like mount wanting to write into /etc
really spoil the idea.  Does anyone have a list of issues that stop /
and /usr being mounted read only (either logically or physically, or on
read only media) on a machine running say Solaris ? I'll start off the
list with the following.

        Program/system          writes to

        mountd                  /etc/mnttab
        automountd              /etc/mnttab
        passwd                  /etc/passwd /etc/shadow
        syslogd                 /etc/syslog.pid
        crond                   /etc/cron.d/FIFO
        opie                    /etc/opiekeys

Does anything break if you mount /dev and /devices read only ?

--
Markus Zellner | IT Security Support Officer | Markus.Zellner () anu edu au