From owner-freebsd-security Thu Jun 17 7:53:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 84EC714F26 for ; Thu, 17 Jun 1999 07:53:39 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1418 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 17 Jun 1999 09:45:30 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 17 Jun 1999 09:45:20 -0500 (CDT) From: James Wyatt To: "Andy V. Oleynik" Cc: Richard Childers , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999, Andy V. Oleynik wrote: > chflags schg /kernel > > On Thu, 17 Jun 1999, Richard Childers wrote: > > "My kernel is set schg ..." > > > > Could you please expand on this ? I would think 'expand' would result in more text than the quited original. Something like: "man chflags would tell you what schg means" btw: 'apropos schg' returns 'schg: nothing appropriate' Ugh! The 'schg' (system immutable) flag can be set by root to prevent *anyone* from changing a file, including root. It takes effect when you run at a more secure 'syslevel' and enhances security while running. It usually does not cover stuff buried in rc.* scripts on reboot, though. I suppose that you could set 'schg' on the rc.files and directories as well... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message