From owner-freebsd-security  Thu May 31 11: 0:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7B4F937B422; Thu, 31 May 2001 11:00:21 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GE7ONV00.02E; Thu, 31 May 2001 10:59:55 -0700 
Message-ID: <3B1686B2.5693822B@globalstar.com>
Date: Thu, 31 May 2001 11:00:18 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Dan Pelleg <dpelleg+bsd@REMOVEcs.cmu.edu>
Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject: Re: remounts (was: Re: adding "noschg" to ssh and friends)
References: <20010531123020.6044537B422@hub.freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Dan Pelleg wrote:
> 
> "Karsten W. Rohrbach" <karsten@rohrbach.de> wrote:
> > there are some real high-impact tweaks to be a little bit safer from
> > rootkits. one of them is mounting /tmp noexec. drawback: you got to
> > remount it exec for make installworld.
> 
>  I always wondered... Why are remounts permitted in all securelevels? I
> mean, in a locked-down system where it's acceptable to force a reboot in
> order to upgrade (or run a rootkit), I should be able to enforce read-only
> mounts. Currently anyone (well, root) can just mount -u -w them.
> 
>  Is this an implementation problem in mount(2)? (I haven't looked at the
> code). Or is this going to break things for people (amd?  in high
> securelevels?). What am I missing?

I wrote a very simple patch that disallows mount(2) calls at elevated
securelevel some time ago. Check the -security archives for December
or so. Also look for a long thread on the whole question of turning off
mount(2) at high securelevel.

As for breaking things, yes, it will. You cannot mount stuff. But that's
the whole idea. ;)

OK, found it in the archive,

  http://docs.freebsd.org/mail/archive/2000/freebsd-security/20001224.freebsd-security.html

Look at the 'Read-Only Filesystems' thread.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message