Date: Wed, 2 Oct 1996 10:41:41 -0400 From: Garrett Wollman <wollman@lcs.mit.edu> To: Michael Hancock <michaelh@cet.co.jp> Cc: current@freebsd.org Subject: Immutable flags (was: Re: WARNING: botched ld.so commit! :-() Message-ID: <9610021441.AA28734@halloran-eldar.lcs.mit.edu> In-Reply-To: <Pine.SV4.3.93.961002102251.1788A-100000@parkplace.cet.co.jp> References: <199610011435.AAA32208@godzilla.zeta.org.au> <Pine.SV4.3.93.961002102251.1788A-100000@parkplace.cet.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 2 Oct 1996 10:25:43 +0900 (JST), Michael Hancock <michaelh@cet.co.jp> said: > On Wed, 2 Oct 1996, Bruce Evans wrote: >> This shows that the chflags on ld.so is mainly to [prevent] shoot[ing] >> yourself in the foot. It doesn't improve security. > I was thinking of asking why we're evening using it when > INITIAL_IMMUTABLE_LEVEL is not configurable without hardcoding the source. Ummm, INITIAL_IMMUTABLE_LEVEL? This doesn't mean anything to me. In any case, the immutable bits are set for two reasons: 1) They were set on the code we got from Berkeley. 2) We wanted to make it easier for people to secure their systems by pre-configuring those files. There are a number of files which are necessary for system recovery which probably should be set immutable but aren't; these include /bin/sh, /bin/test, /sbin/fsck, and a number of others. In addition, administrators will have to remember for themselves to set their configuration files immutable and their important system directories append-only, which can only be done after a machine is set up to the administrator's satisfaction. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9610021441.AA28734>