From owner-freebsd-current  Wed Oct  2 07:41:52 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA12308
          for current-outgoing; Wed, 2 Oct 1996 07:41:52 -0700 (PDT)
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA12299
          for <current@freebsd.org>; Wed, 2 Oct 1996 07:41:47 -0700 (PDT)
Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM)
	id AA28734; Wed, 2 Oct 1996 10:41:41 -0400
Date: Wed, 2 Oct 1996 10:41:41 -0400
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <9610021441.AA28734@halloran-eldar.lcs.mit.edu>
To: Michael Hancock <michaelh@cet.co.jp>
Cc: current@freebsd.org
Subject: Immutable flags (was: Re: WARNING: botched ld.so commit! :-()
In-Reply-To: <Pine.SV4.3.93.961002102251.1788A-100000@parkplace.cet.co.jp>
References: <199610011435.AAA32208@godzilla.zeta.org.au>
	<Pine.SV4.3.93.961002102251.1788A-100000@parkplace.cet.co.jp>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

<<On Wed, 2 Oct 1996 10:25:43 +0900 (JST), Michael Hancock <michaelh@cet.co.jp> said:

> On Wed, 2 Oct 1996, Bruce Evans wrote:
>> This shows that the chflags on ld.so is mainly to [prevent] shoot[ing]
>> yourself in the foot.  It doesn't improve security.

> I was thinking of asking why we're evening using it when
> INITIAL_IMMUTABLE_LEVEL is not configurable without hardcoding the source.

Ummm, INITIAL_IMMUTABLE_LEVEL?  This doesn't mean anything to me.

In any case, the immutable bits are set for two reasons:

1) They were set on the code we got from Berkeley.
2) We wanted to make it easier for people to secure their systems by
pre-configuring those files.

There are a number of files which are necessary for system recovery
which probably should be set immutable but aren't; these include
/bin/sh, /bin/test, /sbin/fsck, and a number of others.  In addition,
administrators will have to remember for themselves to set their
configuration files immutable and their important system directories
append-only, which can only be done after a machine is set up to the
administrator's satisfaction.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick