Date: Tue, 19 Dec 2000 12:21:50 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219122150.U19572@fw.wintelcom.net> In-Reply-To: <20001219121901.C23819@rfx-64-6-211-149.users.reflexco>; from cjclark@reflexnet.net on Tue, Dec 19, 2000 at 12:19:01PM -0800 References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219121901.C23819@rfx-64-6-211-149.users.reflexco>
next in thread | previous in thread | raw e-mail | index | archive | help
* Crist J. Clark <cjclark@reflexnet.net> [001219 12:19] wrote:
> On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote:
> > * Crist J. Clark <cjclark@reflexnet.net> [001219 11:50] wrote:
> > > I was recently playing around with the idea of having a read-only root
> > > filesystem. However, it has become clear that there is no way to
> > > prevent root from changing the mount properties on any filesystem,
> > > including the root filesystem, provided there is no hardware-level
> > > block on writing and there is someplace (anyplace) where root can
> > > write.
> > >
> > > Is that accurate? I guess one must go to a "trusted OS" to get that
> > > type of functionality?
> >
> > You can trust freebsd. :)
> >
> > do some research on "securelevel"
>
> I am familiar with securelevel. Are you suggesting,
>
> # find -x / -exec chflags schg {} \;
No, that wouldn't be very prudent. That's why I said "do some
research", not "here's the magic bullet".
You owe the Oracle an article for daemonnews about securelevel.
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219122150.U19572>