Date: Wed, 15 Dec 2004 12:09:21 +0100 From: Matthias Andree <ma@dt.e-technik.uni-dortmund.de> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: current@FreeBSD.org Subject: Re: Background fsck is broken Message-ID: <m33by7zula.fsf@merlin.emma.line.org> In-Reply-To: <43754.1103108217@critter.freebsd.dk> (Poul-Henning Kamp's message of "Wed, 15 Dec 2004 11:56:57 %2B0100") References: <43754.1103108217@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes: > In message <20041215105326.GO25967@ip.net.ua>, Ruslan Ermilov writes: > >>Are you saying it's not possible to downgrade the open to >>(r=1, w=0, e=0) when a file system is downgraded from R/W to R/O? > > Yes: that would make a read-only mounted filesystem vulnerable to > overwriting through the /dev entry and we don't want that. > > The problem is that we do not in the kernel know if we are in single > user mode or not. What difference does this make? Aren't secure levels or mandatory access control and similar schemes sufficient to prevent tampering with direct device access? Why would not root be allowed to nuke a read-only mounted file system? root has other means to trash a system, including writing junk into the hardware registers. On my wishlist, I've always wanted a "networked single user mode" (i. e. only sshd running, only root login with key possible), and I've always wondered why the whole system recovery is focused so much on the principle of a "single-user console". -- Matthias Andree
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m33by7zula.fsf>