From owner-freebsd-security Tue Dec 19 12:10: 8 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:10:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 2E8A837B402 for ; Tue, 19 Dec 2000 12:10:03 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBJK9r920292; Tue, 19 Dec 2000 12:09:53 -0800 (PST) Date: Tue, 19 Dec 2000 12:09:53 -0800 From: Alfred Perlstein To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219120953.S19572@fw.wintelcom.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco>; from cjclark@reflexnet.net on Tue, Dec 19, 2000 at 11:49:36AM -0800 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Crist J. Clark [001219 11:50] wrote: > I was recently playing around with the idea of having a read-only root > filesystem. However, it has become clear that there is no way to > prevent root from changing the mount properties on any filesystem, > including the root filesystem, provided there is no hardware-level > block on writing and there is someplace (anyplace) where root can > write. > > Is that accurate? I guess one must go to a "trusted OS" to get that > type of functionality? You can trust freebsd. :) do some research on "securelevel" -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message