From owner-freebsd-current@FreeBSD.ORG Thu Apr 12 12:34:12 2007 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64E6B16A405 for ; Thu, 12 Apr 2007 12:34:12 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 3CA4013C45A for ; Thu, 12 Apr 2007 12:34:12 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8B50D473BC; Thu, 12 Apr 2007 08:34:11 -0400 (EDT) Date: Thu, 12 Apr 2007 13:34:11 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: ticso@cicely.de In-Reply-To: <20070412112045.GR30772@cicely12.cicely.de> Message-ID: <20070412133301.L99718@fledge.watson.org> References: <200704112004.03903.lists@jnielsen.net> <20070412021645.GQ30772@cicely12.cicely.de> <20070412114135.C64803@fledge.watson.org> <20070412112045.GR30772@cicely12.cicely.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: John Nielsen , current@FreeBSD.org Subject: Re: ZFS to support chflags? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 12:34:12 -0000 On Thu, 12 Apr 2007, Bernd Walter wrote: >> I'm not a big fan of setting these flags -- I fairly frequently run into >> problems when I installworld an NFS root on the NFS host, then try to work >> with it over NFS from the NFS-booted system, as the flags can't be removed >> via NFS. They don't offer a security benefit as-installed, and perhaps >> offer a benefit with respect to preventing people from shooting themselves >> in the foot (or perhaps not). > > They do add security benefits for jails. E.g. hardlink system binaries over > multiple jails flaged immuteable. No jail can compromise the data in other > jails, while still allowing the kernel to share memory pages for it. However, the standard installworld doesn't do this. I'm don't object to the flags existing, it's rather that I think that the incremental benefit of the cases where we do set them by default via installworld isn't there. If you're going to use schg to protect jails, it basically requires setting the flag on all the directories and files that are shared, and that wouldn't be a good default either. :-) Robert N M Watson Computer Laboratory University of Cambridge