From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 01:29:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A864616A4CF for ; Wed, 11 Feb 2004 01:29:50 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C81A43D1D for ; Wed, 11 Feb 2004 01:29:49 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 10260 invoked by uid 72); 11 Feb 2004 09:29:46 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 10:29:46 +0100 (CET) Message-ID: <1093.192.168.0.77.1076491786.squirrel@mail.redix.it> Date: Wed, 11 Feb 2004 10:29:46 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 09:29:50 -0000 I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make change at the file system is to reboot in single user, before the securelevel is set to 3, and make the changes needed (this means the administrator should use only the console); Any comments about? Bye, Roberto