/etc on seperate partition

[helpmhost]

Hi,

Is it possible to mount the /etc directory on a seperate partition? Ideally, I want that partition on a USB pen drive that it in read-only mode.

Thanks.

[valan]

It's definitely possible, but definitely not easy. It would likely involve hacking the init program to mount /etc before it does anything else, since thats where init reads all its configuration data from. If you don't have a decent knowledge of C and the workings of linux, then I do not recommend attempting this. I'm curious to know, why put /etc on a pen drive?

[sarumont]

Taking a stab, I would think that you are trying to prevent your config files from getting edited (by keeping them in RO mode)? As valan said, this would be difficult as to mount, init reads fstab (from /etc). I can suggest, though, that you just have your whole root partition (/) mounted as RO, since nothing really needs to write to it as long as /home, /usr, /var, and /tmp are on separate partitions.

[helpmhost]

Thanks for the replies.

The reason I want a pen drive, is so that if someone ever gets root access, they can simply remount the partition as read-write. I have some pen drives that have a read-only switch on them, and would therefore require the attacker to have physical access to it to make changes to my config.

[kakariko81280]

I'm not sure if it's exactly what you are after, but you could use an initrd to do the first few steps of the boot, along with mounting the /etc/ partition on the actual root partition and the perform a pivot_root to switch from the initrd to the actual root partition to complete the boot.

It's not exactly what you are after but you might be able to adapt a similar technique from an encrypted root partition howto.

http://www.ibiblio.org/pub/Linux/doc...tem-HOWTO.html

Check out the link for 'Setting up the boot device'

Of course it is worth noting that if someone gains root access they can patch or replace your programs to look elsewhere for their config files, so a read-only /etc/ isn't a panacea. Something like tripwire would be required to check for changes to the binaries, and the same tool could be used to monitor your config files.

Hope that helps,

Chris...

[anomie]

helpmhost, it's nice that you are security minded, but I don't see this as a good solution for blocking attackers. There are plenty of attacks that can be run without getting rw access to your /etc config files.

If you are really concerned about your environment (and your root account being at risk), you should be looking at other steps to harden your system - SELinux may be what you want to pursue.

This page links to some SELinux resources that may be helpful to you: http://lxer.com/module/newswire/view/50251/index.html