On Jul 10, 10:01pm, manu@netbsd.org (Emmanuel Dreyfus) wrote:
-- Subject: Re: sshd and read-only filesystem

| But it is a pain to be unable to use sshd with a read-only filesystem.

But having dev readonly does not really work, does it? What happens
when you try to write to /dev/null?

You can always do the mfs /dev trick that init does.

christos

| You may want to setup a firewall or sniffer with the filesystem mounted
| read-only and securelevel=2, or even with a read-only boot media (hard
| disk write protected using a jumper, CDROM, or why not just an EPROM if
| we are running on an embeded device?), so that if it is compromised you
| remain absolutely certain that rebooting the system will bring back a
| clean state. And it is usefull to be able to ssh to such a box, for
| instance for running tcpdump, collecting statistics, or simply for
| adding ipf rules.
| 
| Would there be a problem if we allow using a pty that you do not own if
| it is owned by root? After all, the risk is that root snoops what you
| are doing on your pty, but root can always snoop any pty, regardless who
| is the owner, isn't it?
| 
| -- 
| Emmanuel Dreyfus
| p99dreyf@criens.u-psud.fr
-- End of excerpt from Emmanuel Dreyfus