Is making /var/log directory read only on debian linux safe

logspermissions

I am installing a really small server which got a 512mb CF cars as HD.
Not only I haven't plenty of space, but I would like to minimize the writes to disk.

I would like to completely clear the /var/log directory and to make it read only (write protected).

Will the system hang if I do so?

Best Answer

Instead of making it read only, I would create /var/log as tempfs. and regularily prune. Of course that only works if you have enough spare RAM available.

You can do the same for other possible non-essential directories like /var/tmp

Entries in my /etc/fstab (now commented out):

tmpfs   /var/tmp   tmpfs   defaults,noatime,mode=1777,size=128M   0  0
tmpfs   /var/log   tmpfs   defaults,noatime,mode=0755,size=128M   0  0

Related Solutions

Linux – Correlating /var/log/* timestamps

Interesting problem, Not sure I've ever tried to do this. But I have notice the timestamp you are talking about and I have always belived it to be seconds since bootup.

In my syslog I have on my server, I have:

Jan 10 19:58:55 wdgitial kernel: [    0.000000] Initializing cgroup subsys cpuset
Jan 10 19:58:55 wdgitial kernel: [    0.000000] Initializing cgroup subsys cpu
Jan 10 19:58:55 wdgitial kernel: [    0.000000] Linux version 2.6.32-21-server (buildd@yellow) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #32-Ubuntu SMP Fri Apr 16     09:17:34 UTC 2010 (Ubuntu 2.6.32-21.32-server 2.6.32.11+drm33.2)
Jan 10 19:58:55 wdgitial kernel: [    0.000000] Command line:  root=/dev/xvda1 ro quiet splash

I would imagine this is fairly consistent among most Linux distro's as this is the kernel spitting out it's stuff.

And here I have the date along with the timestamp.

Linux – Make all files under a directory read-only without changing permissions

This answer works on Debian (tested on lenny and squeeze). After investigation, it seems to work only thanks to a Debian patch; users of other distributions such as Ubuntu may be out of luck.

You can use mount --bind. Mount the “real” filesystem under a directory that's not publicly accessible. Make a read-only bind mount that's more widely accessible. Make a read-write bind mount for the part you want to expose with read-write access.

mkdir /media/hidden /media/hidden/sdz99
chmod 700 /media/hidden
mount /dev/sdz99 /media/hidden/sdz99
mount -o bind,ro /media/hidden/sdz99/world-readable /media/world-readable
mount -o bind /media/hidden/sdz99/world-writable /media/world-writable

In your use case, I think you can do:

mkdir /var/smb/hidden
mv /var/smb/snapshot /var/smb/hidden
mkdir /var/smb/snapshot
chmod 700 /var/smb/hidden
chmod 755 /var/smb/hidden/snapshot
mount -o bind,ro /var/smb/hidden/snapshot /var/smb/hidden/snapshot

I.e. put the real snapshot directory under a restricted directory, but give snapshot read permissions for everyone. It won't be directly accessible because its parent has restricted access. Bind-mount it read-only in an accessible location, so that everyone can read it through that path.

(Read-only bind mounts only became possible several years after bind mounts were introduced, so you might remember a time when they didn't work. I don't know offhand since when they work, but they already worked in Debian lenny (i.e. now oldstable).)

Best Answer

Related Solutions

Linux – Correlating /var/log/* timestamps

Linux – Make all files under a directory read-only without changing permissions

Related Question