Date: Wed, 7 Sep 2022 12:49:37 +0000 From: =?iso-8859-1?Q?S=E9bastien_BINI?= <Sebastien.BINI@stormshield.eu> To: "freebsd-questions@FreeBSD.org" <freebsd-questions@FreeBSD.org> Subject: chflags schg on secure level higher than 0 Message-ID: <53b63813561d464289c2727c09000a14@stormshield.eu>
next in thread | raw e-mail | index | archive | help
--_000_53b63813561d464289c2727c09000a14stormshieldeu_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi,
I have been playing with secure levels on FreeBSD, in an attempt to further=
improve the security of our FreeBSD products. The combination of secure le=
vel and the system immutable flag is quite appealing as we can then protect=
sensitive files.
However I am concerned by the fact that the schg flag can still be added re=
gardless of the secure level. That means that anyone with root access could=
add this flag on unexpected files, which may lead to some programs malfunc=
tions (in our case, some well placed flag may even prevent any software upg=
rade...). Once they are set, those flags are difficult to remove because of=
the secure level.
I would have found more logical that the secure level higher than 0 would s=
imply prevent any SF_* flag from being set. We could easily write some MAC =
callback to protect ourselves against this, but is there a reason I am not =
seeing on why this is not the default behavior? Why does FreeBSD allow sett=
ing the schg flag if the secure level is 1 or higher?
Best regards,
S=E9bastien
--_000_53b63813561d464289c2727c09000a14stormshieldeu_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr">
<p>Hi,</p>
<p><br>
</p>
<p>I have been playing with secure levels on FreeBSD, in an attempt to furt=
her improve the security of our FreeBSD products. The combination of secure=
level and the system immutable flag is quite appealing as we can then prot=
ect sensitive files.</p>
<p><br>
</p>
<p>However I am concerned by the fact that the schg flag can still be added=
regardless of the secure level. That means that anyone with root access co=
uld add this flag on unexpected files, which may lead to some programs malf=
unctions (in our case, some well
placed flag may even prevent any software upgrade...). Once they are set, =
those flags are difficult to remove because of the secure level.</p>
<p><br>
</p>
<p>I would have found more logical that the secure level higher than 0 woul=
d simply prevent any SF_* flag from being set. We could easily write some M=
AC callback to protect ourselves against this, but is there a reason I am n=
ot seeing on why this is not the
default behavior? Why does FreeBSD allow setting the schg flag if the secu=
re level is 1 or higher?</p>
<p><br>
</p>
<p>Best regards,</p>
<p>S=E9bastien<br>
</p>
</div>
</body>
</html>
--_000_53b63813561d464289c2727c09000a14stormshieldeu_--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53b63813561d464289c2727c09000a14>