Re: /boot partition changes when it should not



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob McGowan wrote:
It is almost certainly the mount count.

I just manually unmounted and mounted the device a few times. With the
arguments I have in fstab ("ro","noatime"). In other words, I did

umount /boot; mount /boot; dd_rescue /dev/sda1 /tmp/boot1;
umount /boot; mount /boot; dd_rescue /dev/sda1 /tmp/boot2;
diff /tmp/boot1 /tmp/boot2

Result: No change. Hence it does not increment a mount count as long as
it is manually unmounted and remounted while the system is up.

What do I have to change in the boot process so that the mount count
does not get updated? How do I get the boot process to honor the fstab
options?

It is worth noting that the read-only mount prevents writes via "normal"
filesystem functions, only.

You could still have a write done directly to the device, using the
reverse of what the OP did to get the checksum, and completely destroy
the disk content.

Or, more to the point, use a "disk editor" and twiddle a bit here and
there.

Malicious modifying of files with a disk editor is exactly the undesired
stuff that this whole checksumming is supposed to detect.

To get an absolute, no write, ever, to the device, the OP will need to
figure out how to force read only permissions on the device /dev/sda1,
across boots.

Phantastic idea! Can it be done? I have not heard about this yet. It
would be great.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuVopMACgkQ+VSRxYk4408KQwCg54fWN8Vgb0/onHgM/YqHJ/1o
wUMAoLgmBikojb51vtXAT11GOM4F0jFy
=lEFC
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/4B95A293.1030001@xxxxxx