From owner-freebsd-security  Sat Aug 26  6:29: 4 2000
Delivered-To: freebsd-security@freebsd.org
Received: from prioris.mini.pw.edu.pl (prioris.mini.pw.edu.pl [148.81.80.7])
	by hub.freebsd.org (Postfix) with ESMTP id 88B0137B422
	for <freebsd-security@freebsd.org>; Sat, 26 Aug 2000 06:28:58 -0700 (PDT)
Received: from pf39.warszawa.sdi.tpnet.pl (prioris.mini.pw.edu.pl [148.81.80.7])
	by prioris.mini.pw.edu.pl (Postfix) with ESMTP id 052B17CF12
	for <freebsd-security@freebsd.org>; Sat, 26 Aug 2000 15:28:54 +0200 (CEST)
Received: (from zaks@localhost)
	by pf39.warszawa.sdi.tpnet.pl (8.9.3/8.9.3) id PAA00499;
	Sat, 26 Aug 2000 15:28:48 +0200 (CEST)
	(envelope-from zaks)
Content-MD5: 2ba6fa02d0f4b9505f439f6fff7d5c35
From: Slawek Zak <zaks@prioris.mini.pw.edu.pl>
To: freebsd-security@freebsd.org
Subject: Re: Securelevel and rw-remount
References: <Pine.BSF.4.21.0008261740530.2018-100000@besplex.bde.org>
Date: 26 Aug 2000 15:28:48 +0200
In-Reply-To: Bruce Evans's message of "Sat, 26 Aug 2000 17:46:21 +1000 (EST)"
Message-ID: <87n1i0talr.fsf@pf39.warszawa.sdi.tpnet.pl>
Lines: 31
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Bryce Canyon)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Bruce Evans <bde@zeta.org.au> writes:

> On 25 Aug 2000, Slawek Zak wrote:
> 
> > Could someone tell me why is it possible to remount a read-only
> > mounted filesystem read-write after the securelevel is raised to 3? It
> > seems dangerous.
> 
> Same reasonable as it is possible to use unmount and mount after the
> securelevel is raised to 3: someone considered this necessary for
> normal operation.

  Well - I wouldn't call running system with secure level raised to 3
  "normal operation". And yes - umounting fixed device filesystems
  should be disabled (securelevel 4?)

> This seems reasonable, since disks can't be written to at
> securelevel 3, and a secure system shouldn't have any insecure
> devices attached, whether or not they are mounted.

  Well - device mounted ro without the possibilty to write to it
  either thru fs layer or raw device I *would* call secure. You can
  have it using chflags -R schg, but it is very inconvenient when you
  boot to single user and want to change something.

/S
-- 
"An expert is someone who knows more and more about less and less until
 he/she knows absolutely everything about nothing."
                   --Weber's definition of Expert
* Suavek Zak / PGP: finger://zaks@prioris.mini.pw.edu.pl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message