From owner-freebsd-current@FreeBSD.ORG  Wed Dec 15 11:18:41 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6CC2F16A4CE; Wed, 15 Dec 2004 11:18:41 +0000 (GMT)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B7B3B43D64; Wed, 15 Dec 2004 11:18:40 +0000 (GMT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id iBFBIclK044116;
	Wed, 15 Dec 2004 12:18:38 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
To: Matthias Andree <ma@dt.e-technik.uni-dortmund.de>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
In-Reply-To: Your message of "Wed, 15 Dec 2004 12:09:21 +0100."
             <m33by7zula.fsf@merlin.emma.line.org> 
Date: Wed, 15 Dec 2004 12:18:38 +0100
Message-ID: <44115.1103109518@critter.freebsd.dk>
Sender: phk@critter.freebsd.dk
cc: Ruslan Ermilov <ru@FreeBSD.org>
cc: current@FreeBSD.org
Subject: Re: Background fsck is broken 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2004 11:18:41 -0000

In message <m33by7zula.fsf@merlin.emma.line.org>, Matthias Andree writes:
>"Poul-Henning Kamp" <phk@phk.freebsd.dk> writes:
>
>> In message <20041215105326.GO25967@ip.net.ua>, Ruslan Ermilov writes:
>>
>>>Are you saying it's not possible to downgrade the open to
>>>(r=1, w=0, e=0) when a file system is downgraded from R/W to R/O?
>>
>> Yes: that would make a read-only mounted filesystem vulnerable to
>> overwriting through the /dev entry and we don't want that.
>>
>> The problem is that we do not in the kernel know if we are in single
>> user mode or not.
>
>What difference does this make? Aren't secure levels or mandatory access
>control and similar schemes sufficient to prevent tampering with direct
>device access?

No.

>Why would not root be allowed to nuke a read-only mounted file system?
>root has other means to trash a system, including writing junk into the
>hardware registers.

Just because root can go out of his way to do something stupid doesn't
mean that we should make it easier to make an honest mistake.

>On my wishlist, I've always wanted a "networked single user mode"
>(i. e. only sshd running, only root login with key possible), and I've
>always wondered why the whole system recovery is focused so much on the
>principle of a "single-user console".

Implement it!  I've wanted that for a long time too.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.