From owner-freebsd-security  Wed Oct  4 22:15:25 2000
Delivered-To: freebsd-security@freebsd.org
Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139])
	by hub.freebsd.org (Postfix) with ESMTP id 1734A37B66D
	for <freebsd-security@FreeBSD.ORG>; Wed,  4 Oct 2000 22:15:22 -0700 (PDT)
Received: by static.unixfreak.org (Postfix, from userid 1000)
	id C907D1F21; Wed,  4 Oct 2000 22:15:21 -0700 (PDT)
Subject: Re: BSD chpass (fwd)
In-Reply-To: <200010050453.AAA32275@mailer.progressive-comp.com> from Hank Leininger
 at "Oct 5, 2000 00:53:21 am"
To: Hank Leininger <hlein@progressive-comp.com>
Date: Wed, 4 Oct 2000 22:15:21 -0700 (PDT)
Cc: freebsd-security@FreeBSD.ORG
From: Dima Dorfman <dima@unixfreak.org>
Reply-To: dima@unixfreak.org
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <20001005051521.C907D1F21@static.unixfreak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On 2000-10-05, Dima Dorfman <dima@unixfreak.org> wrote:
> 
> > > On Wed, Oct 04, 2000 at 10:47:15AM -0400, Garrett Wollman wrote:
> > > Except you can still just mount a doctored copy over the top of it
> 
> > Actually, now that I think about it, this can be detered to a certain
> > point.  If you're running with securelevel >= 2, you can't load KLDs,
> > and you can't run newfs.  What would you mount?  A vn device?  Nope,
> > unless the KLD is already loaded.  A floppy?  If you have physical
> 
> Perhaps this is a stupid question, but why is mount particularly needed at
> high securelevels?  So long as unmount(2) can be called by shutdown
> scripts.  Hm... remounting / ro before halt/reboot perhaps... but perhaps
> that behavior could be straightforward-ly special cased?  It's not like
> mount(2) is a hot path =)  And/or, disallow mounts to mount points which
> are not regular, empty directories, if securelevel >= 2?  What legit uses
> (that could not be learned around by an admin) would this break?

Disallowing mounts altogether will break on-request mounting of
volumes by things like amd(8), which is quite important, IMO.
Disallowing mounts on non-empty directories and other "irregular"
files is another story.  While there are some legitimate uses for
this, they are far less common.

Regards

-- 
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.

"War doesn't determine who's right, it determines who's left."
        -- Confuscious


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message