From owner-freebsd-security Wed Dec 20 18:28:21 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 18:28:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 76EA537B400 for ; Wed, 20 Dec 2000 18:28:18 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA22915; Wed, 20 Dec 2000 18:29:36 -0800 Date: Wed, 20 Dec 2000 18:29:36 -0800 From: Kris Kennaway To: Jason DiCioccio Cc: security@FreeBSD.org Subject: Re: Read-Only Filesystems Message-ID: <20001220182936.H22288@citusc.usc.edu> References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="r5lq+205vWdkqwtk" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Wed, Dec 20, 2000 at 06:05:58PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --r5lq+205vWdkqwtk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Don't forget chflags'ing every binary involved in the startup process, too. And all of your kernel modules. And the boot loader and its config files. And all of the appropriate directories. And /etc/fstab so null or union mounts can't be used to shadow a protected file...you get the picture :-) Kris --r5lq+205vWdkqwtk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWsQWry0BWjoQKURAvOAAJ4/kswqD1tCUCO3DZYqp79Xq5tx/wCfY0hc 61GSxDfLbCOf5CGdki8ZoNo= =/4Va -----END PGP SIGNATURE----- --r5lq+205vWdkqwtk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message