Date: Wed, 20 Dec 2000 18:29:36 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Jason DiCioccio <Jason.DiCioccio@Epylon.com> Cc: security@FreeBSD.org Subject: Re: Read-Only Filesystems Message-ID: <20001220182936.H22288@citusc.usc.edu> In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Wed, Dec 20, 2000 at 06:05:58PM -0800 References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--r5lq+205vWdkqwtk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Don't forget chflags'ing every binary involved in the startup process, too. And all of your kernel modules. And the boot loader and its config files. And all of the appropriate directories. And /etc/fstab so null or union mounts can't be used to shadow a protected file...you get the picture :-) Kris --r5lq+205vWdkqwtk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWsQWry0BWjoQKURAvOAAJ4/kswqD1tCUCO3DZYqp79Xq5tx/wCfY0hc 61GSxDfLbCOf5CGdki8ZoNo= =/4Va -----END PGP SIGNATURE----- --r5lq+205vWdkqwtk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001220182936.H22288>