Date: Wed, 20 Dec 2000 09:30:55 +1300 From: "Michael A. Williams" <mike@netxsecure.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <3A3FC57F.E80331A7@netxsecure.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco>
next in thread | previous in thread | raw e-mail | index | archive | help
How about applying the immutable flag (uchg) with chflags to selected branches of the file system tree and in combination with kernel securelevel 2 then a reboot at the console into single user mode is required to reverse the immutable state of the files. In the end this comes down to physical security of the console. cheers, Mike. "Crist J. Clark" wrote: > > I was recently playing around with the idea of having a read-only root > filesystem. However, it has become clear that there is no way to > prevent root from changing the mount properties on any filesystem, > including the root filesystem, provided there is no hardware-level > block on writing and there is someplace (anyplace) where root can > write. > > Is that accurate? I guess one must go to a "trusted OS" to get that > type of functionality? > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3FC57F.E80331A7>