Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2007 13:20:47 +0200
From:      Bernd Walter <ticso@cicely12.cicely.de>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        John Nielsen <lists@jnielsen.net>, ticso@cicely.de, current@FreeBSD.org
Subject:   Re: ZFS to support chflags?
Message-ID:  <20070412112045.GR30772@cicely12.cicely.de>
In-Reply-To: <20070412114135.C64803@fledge.watson.org>
References:  <200704112004.03903.lists@jnielsen.net> <20070412021645.GQ30772@cicely12.cicely.de> <20070412114135.C64803@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote:
> 
> On Thu, 12 Apr 2007, Bernd Walter wrote:
> 
> >On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote:
> >
> >>I just moved /usr over to a zpool on my -CURRENT system. Performance and 
> >>stability are both excellent so far. (Thanks Pawel!) However I noticed 
> >>that setting FS flags on files with chflags is not supported. Would it be 
> >>feasible to add support for flags on ZFS, and if so are there plans to do 
> >>so?
> >>
> >>If not (and/or in the meantime), are there any places in the base system 
> >>where flags are required for normal operation? (/var maybe?)
> >
> >Some binaries have such flags set, but it is not required, otherwise 
> >diskless NFS wouldn't work. I often see installworld warnings about beeing 
> >unable to set extended flags on ld.so and others on my diskless boxes.
> 
> I'm not a big fan of setting these flags -- I fairly frequently run into 
> problems when I installworld an NFS root on the NFS host, then try to work 
> with it over NFS from the NFS-booted system, as the flags can't be removed 
> via NFS.  They don't offer a security benefit as-installed, and perhaps 
> offer a benefit with respect to preventing people from shooting themselves 
> in the foot (or perhaps not).

They do add security benefits for jails.
E.g. hardlink system binaries over multiple jails flaged immuteable.
No jail can compromise the data in other jails, while still allowing
the kernel to share memory pages for it.

-- 
B.Walter                http://www.bwct.de      http://www.fizon.de
bernd@bwct.de           info@bwct.de            support@fizon.de



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070412112045.GR30772>