So my approach was to arrange for the system to have only one writable partition, /var. All other partitions would be read-only, including /. And the /var partition would be recreated from scratch at boot-time, meaning there was no danger in a sudden shutdown, since even if the old, writable /var got corrupted, it wouldn't matter, since we were never going to try and mount that version again.

Anything that needed to be writable on the other read-only parititions would be replaced by a symlink into /var. At boot-time, /var would be created by wiping its partition, and then re-initializing it by copying the contents of the /var-ro directory into it.

Here are the steps I followed to create this system:

Install Linux.

• Install Red Hat Linux 6.2 from scratch. Do a totally minimal install (just X: no GNOME, no inetd, no extras.)

• Partition the system like so (the machines I'm using have 800M disks: that's plenty for this application.)

  /boot:	5M;
  swap:	128M;
  /:	600M;
  /rw:	38M.

  Now boot it.

• Install some more packages: I find installation to be a lot easier with these around...
  • ssh;
  • sshd;
  • xemacs;
  • lynx;
  • wget;
  • gnorpm.

• Turn off ``xfs'', the X Font Server. Once we make things read-only, it won't work any more and I didn't bother figuring out why. It doesn't matter, we don't really need it. Turn it off like so:
  chkconfig xfs off

  Then edit /etc/X11/XF86Config to add real font paths:

  FontPath "/usr/lib/X11/fonts/75dpi/"
  FontPath "/usr/lib/X11/fonts/misc/"
  FontPath "/usr/lib/X11/fonts/CID/"
  FontPath "/usr/lib/X11/fonts/Speedo/"
  FontPath "/usr/lib/X11/fonts/Type1/"

• Turn off some more stuff we don't need:
  chkconfig apmd off;
  chkconfig gpm off;
  chkconfig kudzu off;
  chkconfig sendmail off

• Install some more stuff:
  • Helix GNOME, minimal install.
  • netscape-navigator (not netscape-communicator.)
  • GSendmail and Muttzilla (to make Navigator able to use mailto: links);
  • Macromedia Flash plugin;
  • RealPlayer 7;
  • xpdf;
  • xanim 2.80, plus xanim-nonfree-codecs;
  • xloadimage;

  • xdaliclock (for xscreensaver);
  • xfishtank (for xscreensaver);
  • xearth (for xscreensaver);
  • ssystem (for xscreensaver);
  • xmountains (for xscreensaver);
  • xaos (for xscreensaver);
  • xsnow (for xscreensaver);

  • words-2-12.noarch.rpm (for /usr/dict/words);
  • iputils (for ``ping'');
  • bind-utils (for ``nslookup'');
  • xntpd;
  • telnet;
  • traceroute;
  • libgr and libgr-progs;

  • symlink /usr/lib/libMesaGL[U].so.3 to /usr/lib/libGL[U].so.1 (some things need this.)

Install some kiosk utilities:

Install these scripts (written by me) into /usr/local/sbin:

kiosk-dm	A replacement display manager, for doing password-less logins. It simply invokes kiosk-session.
kiosk-session	A session script for kiosk-dm that logs in as guest without prompting for a password, then runs guest's .xsession file.
xsession	The guest user's .xsession file. It doesn't do much more than invoke gnome-session.
var-init	This script runs mkfs to recreate the /var partition from scratch; then initializes that file system with the contents of /var-ro. This is run early in the boot sequence.
kiosk-home-init	This script deletes everything under /var/home/guest and replaces it with a fresh copy from /var-ro/home/guest. This is run every time the guest user logs out and then back in again (e.g., when C-Alt-BS is typed.)
halt	This is a replacement for /usr/bin/halt that is mostly a no-op. The existing ``halt'' program gets somewhat confused by the read-only state of the world, so we need to use this stripped down version instead.

Initialize the ``guest'' user'senvironment:

• Create one password-less user, ``guest''.

• Log in as guest to the Helix GNOME desktop, and set up that user's preferences and session the way you like it (applications launched by default, proxy settings, mail servers, etc.) Save the session and log out.

• Edit guest's ~/.mailcap and ~/.mime.types files to taste.

Now guest's home directory needs to move to /var: GNOME won't even start if $HOME is not writable:

• mkdir /var/home
• mv /home/guest /var/home/guest
• ln -s /var/home/guest /home/guest

Set up auto-login for the guest user:

• in /etc/inittab, replace ``x:5:respawn:/etc/X11/prefdm -nodaemon'' with ``x:5:respawn:/usr/local/sbin/kiosk-dm''

• ln -s /usr/local/sbin/xsession /home/guest/.xssesion

Make the system boot read-only:

• Move certain tty/pty devices to /var:
  • mkdir /var/dev
  • cd /dev; find . -depth -print | cpio -pdm /var/dev
  • In /dev, symlink ``console'', ``tty?'', and ``pty*`` to /var/dev/*:
    cd /dev ; rm console tty? pty? ; ln -s /var/dev/{console,tty?,pty?} .

  These are the device files that need to be writable. The others can stay on the read-only file system. Don't just move the whole /dev directory to /var, because some of those devices are needed before /var has been mounted!

• Move the logger device to /var, so that messages will still show up in /var/log/* when the system is read-only:
  • /etc/rc.d/init.d/syslog stop
  • rm /dev/log ; ln -s /var/log/.socket /dev/log
  • Edit /etc/rc.d/init.d/syslog, and change the line that reads
    daemon syslogd -m 0 -r
    to read
    daemon syslogd -m 0 -p /var/log/.socket
  • /etc/rc.d/init.d/syslog start

• Prepare the /var template:
  • mkdir /var-ro
  • cd /var; find . -depth -print | cpio -pdm /var-ro

    Also move the RPM and ``locate'' databases to /var, which is where they should have been all along:

  • mv /var-ro/lib/rpm /var-ro/lib/slocate /usr/local/lib/
  • ln -s /usr/local/lib/rpm /var-ro/lib/rpm
  • ln -s /usr/local/lib/slocate /var-ro/lib/slocate

• Change the init sequence to boot read-only:
  • Delete /etc/rc.d/*/K* since we don't need to shut down anything when rebooting.

  • Link /etc/rc.d/init.d/halt to /usr/local/sbin/halt, since we don't need to be careful about shutting down.

  • Edit /etc/rc.d/rc.sysinit:
    • Comment out the line ending with ``mount -n -o remount,rw /''
    • After that line, add:
      action "Constructing writable file system" /usr/local/sbin/var-init

  • Boot standalone (``linux 1'' at LILO.)

  • Replace the mtab file with the /proc version:
    rm /etc/mtab ; ln -s /proc/mounts /etc/mtab

  • Move /tmp to /var:
    rmdir /tmp ; mkdir /var-ro/tmp ; ln -s /var/tmp /tmp

  • Clear out the now-obsolete contents of the old /var directory (it's all in /var-ro now):
    rm -rf /var/*

  • Edit /etc/fstab to call the former /rw partition /var, and make both / and /boot be read-only:

            /dev/hda5  /      ext2  defaults,ro  1 1
            /dev/hda1  /boot  ext2  defaults,ro  1 2
            /dev/hda7  /var   ext2  defaults     0 2
    

Boot up!

At this point you should have a functional system that can be power-cycled with reckless abandon. When it boots, you should auto-log-in to the guest desktop. When you type C-Alt-BS to kill the X server and log out, it should log you back in again, after having cleared out guest's home directory and resetting everything to the defaults. Likewise, if you pull the plug on the machine, it should boot up without error and without running fsck. C-Alt-DEL should shut down very quickly.

Make sure everything works and you're happy with the configuration.

Final security measures:

Turn on security to make it impossible to boot standalone without a password:
• In /etc/inittab, add ``~~:S:wait:/sbin/sulogin /dev/console'' to make a password be required to boot standalone.

• In /etc/lilo.conf, add a password for non-default boot options:
  restricted
  password="<pass>"

• chmod a-rwx /etc/lilo.conf ; lilo

Since the contents of /var go away when the machine is booted, you might want to configure it to send its syslog messages to another server:

• Replace the contents of /etc/syslog.conf with the single line:
  *.* @loghost
  where loghost is the machine to which logs should be sent.

• Ensure that UDP port 514 (syslog) is reachable on that machine.

And that should do it... As long as the machine does not have a CDROM or floppy drive attached to it, it should be impossible to remount any of the drives writably without guessing a password or cracking root some other way.

_______________________________________________

Again, please go back to see a diskless NFS-oriented approach to this, which I've decided is a better way.

_______________________________________________