Date: Wed, 20 Dec 2000 18:29:36 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Jason DiCioccio <Jason.DiCioccio@Epylon.com> Cc: security@FreeBSD.org Subject: Re: Read-Only Filesystems Message-ID: <20001220182936.H22288@citusc.usc.edu> In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Wed, Dec 20, 2000 at 06:05:58PM -0800 References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Don't forget chflags'ing every binary involved in the startup process, too. And all of your kernel modules. And the boot loader and its config files. And all of the appropriate directories. And /etc/fstab so null or union mounts can't be used to shadow a protected file...you get the picture :-) Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWsQWry0BWjoQKURAvOAAJ4/kswqD1tCUCO3DZYqp79Xq5tx/wCfY0hc 61GSxDfLbCOf5CGdki8ZoNo= =/4Va -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001220182936.H22288>