From owner-freebsd-security Wed Dec 20 13:11:24 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 13:11:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.2cactus.com (unknown [198.93.52.67]) by hub.freebsd.org (Postfix) with ESMTP id A8A7837B400; Wed, 20 Dec 2000 13:11:20 -0800 (PST) Received: from 2cactus.com ([192.168.1.4]) by mail.2cactus.com (8.9.3/8.9.3) with ESMTP id OAA85498; Wed, 20 Dec 2000 14:07:03 -0700 (MST) (envelope-from markz@2cactus.com) Message-ID: <3A40BED3.1070909@2cactus.com> Date: Wed, 20 Dec 2000 14:14:43 +0000 From: Mark Zielinski Reply-To: Mark Zielinski User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; m18) Gecko/20001107 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Alfred Perlstein , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a attack that we fixed in SecureBSD by not allowing filesystems to be un-mounted and re-mounted back in May of 1999. We added security checks to the mount() and unmount() system calls based upon a MIB called securebsd.options.mount which could be turned on or off depending upon your securelevel setting. Around the time that we wrote this feature, if your securelevel was not set to two or higher, root users could un-mount a filesystem and directly write to the file system's raw device in order to remove file flags on files. This option prevented this attack, even when your securelevel was only set at a level of one. Kris Kennaway wrote: > On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > >> * Crist J. Clark [001219 11:50] wrote: >> >>> I was recently playing around with the idea of having a read-only root >>> filesystem. However, it has become clear that there is no way to >>> prevent root from changing the mount properties on any filesystem, >>> including the root filesystem, provided there is no hardware-level >>> block on writing and there is someplace (anyplace) where root can >>> write. >>> >>> Is that accurate? I guess one must go to a "trusted OS" to get that >>> type of functionality? >> >> You can trust freebsd. :) >> >> do some research on "securelevel" > > > I don't believe mounting or remounting is denied by any securelevel..I > raised this a few months ago but the consensus seemed to be that > securelevel was too broken by design and the real fix was MAC, which > is coming with TrustedBSD. > > Kris -- Mark Zielinski 2 Cactus Development Senior Software Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message