From owner-freebsd-security  Thu Jun 17  8: 9:48 1999
Delivered-To: freebsd-security@freebsd.org
Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175])
	by hub.freebsd.org (Postfix) with ESMTP id 17E2514F26
	for <security@freebsd.org>; Thu, 17 Jun 1999 08:09:34 -0700 (PDT)
	(envelope-from sheldonh@axl.noc.iafrica.com)
Received: from sheldonh (helo=axl.noc.iafrica.com)
	by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1)
	id 10udmP-000Mtk-00; Thu, 17 Jun 1999 17:08:37 +0200
From: Sheldon Hearn <sheldonh@uunet.co.za>
To: James Wyatt <jwyatt@RWSystems.net>
Cc: "Andy V. Oleynik" <andyo@mail.prime.net.ua>,
	Richard Childers <rchilders@hamquist.com>, security@FreeBSD.ORG
Subject: Re: some nice advice.... 
In-reply-to: Your message of "Thu, 17 Jun 1999 09:45:20 EST."
             <Pine.BSF.4.05.9906170936390.23319-100000@kasie.rwsystems.net> 
Date: Thu, 17 Jun 1999 17:08:37 +0200
Message-ID: <88023.929632117@axl.noc.iafrica.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Thu, 17 Jun 1999 09:45:20 EST, James Wyatt wrote:

> The 'schg' (system immutable) flag can be set by root to prevent *anyone*
> from changing a file, including root. It takes effect when you run at a
> more secure 'syslevel' and enhances security while running.

For the record:

Schg is always "in effect". At non-zero securelevels (not syslevels),
nobody can remove the schg flag. Effectively, the same thing as what you
said, but the difference is worth explaining.

And the manpage to refer people to is init(8).

Ciao,
Sheldon.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message