Mailinglist Archive: opensuse (818 mails)

< Previous Next >
Re: [opensuse] Howto run Apache web server on read-only root file system
On 01/09/11 04:38, Monika Kistler wrote:


Out of security reasons I need to have the root file system mounted
read-only.

What security does that provide according to your appreciation ? I only
see it as a false sense of security.


/var is mounted read/write on a separate partition, thus the log files do not
cause any problem.

When booting my system I get the following errors, due to read-only rootfs.


mv: inter-device move failed: `/tmp/apache2.PLbqAdT67tqh' to
`/etc/apache2/sysconfig.d/loadmodule.conf'; unable to remove target:
Read-only file system
/usr/share/apache2/get_module_list: line 113:
/etc/apache2/sysconfig.d/global.conf: Read-only file
system
/usr/share/apache2/get_module_list: line 114: 3: Bad file descriptor
/usr/share/apache2/get_module_list: line 136: 3: Bad file descriptor
/usr/share/apache2/get_module_list: line 140: 3: Bad file descriptor
/usr/share/apache2/get_module_list: line 141: 3: Bad file descriptor
/usr/share/apache2/get_module_list: line 144: 3: Bad file descriptor
/usr/share/apache2/get_module_list: line 151: 3: Bad file descriptor
/usr/share/apache2/get_includes: line 15:
/etc/apache2/sysconfig.d/include.conf: Read-only file
system
/usr/share/apache2/get_includes: line 16: 3: Bad file descriptor
/usr/share/apache2/get_includes: line 43: 3: Bad file descriptor


Well, yes, apache generates a lot of configuration automatically at
startup so you can use /etc/sysconfig/apache2, you need /etc writeble by
root anyway...

IMHO you are attempting to secure the wrong thing, without my appropiate
dosis of caffeine I can instantly recall a lot of attack vectors for a
webserver that dont require rootfs writable..

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References