How-To Make the root filesystem read-only From openSUSE Contents[
The procedure in this article was written and tested with version openSuSE linux 10.1 Whilst there is no guarantee, it should be applicable to later versions. If you find this to be incorrect, please help to update this article. [ edit ] Procedure There are two files in the /etc directory that need to be writable. These are: /etc/mtab /etc/resolv.conf Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d
delete /etc/mtab
link /proc/mounts to /etc/mtab # ln -s /proc/mounts /etc/mtab
move /etc/resolv.conf to /dev/shm/resolv.conf # mv /etc/resolv.conf /dev/shm
link /dev/shm/resolv.conf to /etc/resolv.conf # ln -s /dev/shm/resolv.conf /etc/resolv.conf
create an archive of /var which will be extracted on the /dev/shm fs on boot. # tar -zcvf /var.tgz /var/*
move /var to /dev/shm # mv /var /dev/shm
create a link from /dev/shm/var to /var # ln -s /dev/shm/var /var You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.
delete /tmp and create a directory /dev/shm/tmp
create a link from /dev/shm/tmp to /tmp # ln -s /dev/shm/tmp /tmp
edit /etc/init.d/boot.rootfsck :
After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this: from: mount -n -o remount,rw / to: mount -n -o remount,ro / Find the line that deletes /etc/mtab* and comment it out. #rm -f /etc/mtab* Bellow that line add the following: touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file. mkdir /dev/shm/tmp tar -C /dev/shm -zxf /var.tgz
edit /etc/init.d/boot.localfs and comment out the following line: #rm -f /etc/nologin /nologin /fastboot /forcefsck /success
edit /etc/pam.d/login to remove the module that logs the login of a user. comment out the line: # session required pam_lastlog.so nowtmp
edit /etc/fstab and set mount option on / to be ro, for example: line: /dev/sda2 / reiserfs acl,user_xattr 1 1 is changed to: /dev/sda2 / reiserfs ro,acl,user_xattr 1 1
remount the root filesystem to read-only # mount -o remount,ro / [ edit ] Conclusions If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable. # mount -o remount,rw / Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.
|