Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Dec 2000 21:50:58 -0800
From:      Alfred Perlstein <bright@wintelcom.net>
To:        Kris Kennaway <kris@FreeBSD.ORG>
Cc:        cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG
Subject:   Re: Read-Only Filesystems
Message-ID:  <20001219215057.F19572@fw.wintelcom.net>
In-Reply-To: <20001219211642.D13474@citusc.usc.edu>; from kris@FreeBSD.ORG on Tue, Dec 19, 2000 at 09:16:42PM -0800
References:  <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Kris Kennaway <kris@FreeBSD.ORG> [001219 21:15] wrote:
> On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote:
> > * Crist J. Clark <cjclark@reflexnet.net> [001219 11:50] wrote:
> > > I was recently playing around with the idea of having a read-only root
> > > filesystem. However, it has become clear that there is no way to
> > > prevent root from changing the mount properties on any filesystem,
> > > including the root filesystem, provided there is no hardware-level
> > > block on writing and there is someplace (anyplace) where root can
> > > write.
> > > 
> > > Is that accurate? I guess one must go to a "trusted OS" to get that
> > > type of functionality?
> > 
> > You can trust freebsd. :)
> > 
> > do some research on "securelevel"
> 
> I don't believe mounting or remounting is denied by any securelevel..I
> raised this a few months ago but the consensus seemed to be that
> securelevel was too broken by design and the real fix was MAC, which
> is coming with TrustedBSD.

I don't see the problem with fixing securelevel in that aspect since
the securelevel is raised late in the boot process, after the fs's
are mounted.  no?

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219215057.F19572>