From owner-freebsd-security Mon Oct 18 0:55:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 016D614C18 for ; Mon, 18 Oct 1999 00:55:45 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA43151; Mon, 18 Oct 1999 09:55:33 +0200 (CEST) (envelope-from des) To: Justin Wells Cc: Doug , Antoine Beaupre , Mike Nowlin , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X References: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> <19991017012750.A812@fever.semiotek.com> <380A1E2C.CCA326F5@gorean.org> <19991018024704.A512@semiotek.com> From: Dag-Erling Smorgrav Date: 18 Oct 1999 09:55:32 +0200 In-Reply-To: Justin Wells's message of "Mon, 18 Oct 1999 02:47:05 -0400" Message-ID: Lines: 18 X-Mailer: Gnus v5.7/Emacs 20.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Wells writes: > 1) securelevel does not stop root from remounting / read-write, > since mount is specifically excepted (I tried it too, I was > able to do a "mount -u -o rw /" at securelevel 3 as root) Well, then, fix mount(8) so it won't run at high securelevels. You know where to find the source code. > 2) mounting / read only is nasty anyway, since you lose the > ability to chown /dev/tty* which makes some things act > very weird (many programs expect you will own your tty > or else they get angry) Use DEVFS, or union-mount an MFS on top of /dev. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message