Date: Fri, 22 Dec 2000 12:42:16 -0800 From: "VP of Engineering" <steve@napanet.net> To: "Michael A. Williams" <mike@netxsecure.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: Read-Only Filesystems Message-ID: <005001c06c57$adab1980$3da2169d@napanet.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <3A3FC57F.E80331A7@netxsecure.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Not quite as secure as putting your read only files on a separate drive and placing the "read-only" jumper on the drive - then it requires getting into the machine itself. Last time I checked this was a feature on many SCSI drives, not many IDE drives. Steve ----- Original Message ----- From: "Michael A. Williams" <mike@netxsecure.net> To: <freebsd-security@FreeBSD.ORG> Sent: Tuesday, December 19, 2000 12:30 PM Subject: Re: Read-Only Filesystems > How about applying the immutable flag (uchg) with chflags to selected > branches of the file system tree and in combination with kernel > securelevel 2 then a reboot at the console into single user mode is > required to reverse the immutable state of the files. > In the end this comes down to physical security of the console. > > cheers, > Mike. > > > "Crist J. Clark" wrote: > > > > I was recently playing around with the idea of having a read-only root > > filesystem. However, it has become clear that there is no way to > > prevent root from changing the mount properties on any filesystem, > > including the root filesystem, provided there is no hardware-level > > block on writing and there is someplace (anyplace) where root can > > write. > > > > Is that accurate? I guess one must go to a "trusted OS" to get that > > type of functionality? > > -- > > Crist J. Clark cjclark@alum.mit.edu > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Michael A. Williams, InfoSec Technology Manager > NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com > Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005001c06c57$adab1980$3da2169d>