Date: Thu, 12 Apr 2007 12:30:55 -0500 From: Eric Anderson <anderson@freebsd.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@freebsd.org Subject: Re: ZFS to support chflags? Message-ID: <461E6CCF.2080802@freebsd.org> In-Reply-To: <20070412172811.GA48309@xor.obsecurity.org> References: <200704112004.03903.lists@jnielsen.net> <20070412021645.GQ30772@cicely12.cicely.de> <20070412114135.C64803@fledge.watson.org> <20070412172811.GA48309@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/12/07 12:28, Kris Kennaway wrote: > On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote: >> On Thu, 12 Apr 2007, Bernd Walter wrote: >> >>> On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote: >>> >>>> I just moved /usr over to a zpool on my -CURRENT system. Performance and >>>> stability are both excellent so far. (Thanks Pawel!) However I noticed >>>> that setting FS flags on files with chflags is not supported. Would it be >>>> feasible to add support for flags on ZFS, and if so are there plans to do >>>> so? >>>> >>>> If not (and/or in the meantime), are there any places in the base system >>>> where flags are required for normal operation? (/var maybe?) >>> Some binaries have such flags set, but it is not required, otherwise >>> diskless NFS wouldn't work. I often see installworld warnings about beeing >>> unable to set extended flags on ld.so and others on my diskless boxes. >> I'm not a big fan of setting these flags -- I fairly frequently run into >> problems when I installworld an NFS root on the NFS host, then try to work >> with it over NFS from the NFS-booted system, as the flags can't be removed >> via NFS. They don't offer a security benefit as-installed, and perhaps >> offer a benefit with respect to preventing people from shooting themselves >> in the foot (or perhaps not). > > Yeah, historical intentions notwithstanding, the real benefit of schg > flags on critical pieces is anti foot-shooting. e.g. you really don't > want to accidentally delete ld-elf.so.1 or libc.so.7 or init. > You can usually recover from this, but it can mess up your whole day > :) > > Kris Yea, all I have to say is: thank you to <SOMEBODY> for /rescue!!! Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?461E6CCF.2080802>