Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Sep 2002 11:02:13 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Jimmy Lantz <jimmy.lantz@lusidor.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: mount read only || chflags schg & sec level 2
Message-ID:  <20020917100213.GA73070@happy-idiot-talk.infracaninophi>
In-Reply-To: <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu>
References:  <5.1.0.14.0.20020917103713.032c3950@mail.lusidor.nu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 17, 2002 at 10:39:10AM +0200, Jimmy Lantz wrote:

> I'm looking for away to write protect
> some files whats the pros and cons
> with having the file on a seperate partition and mount that read-only
> or use the chflags schg and go to kernel security level 2?

Either should work fine at keeping your files read-only, but you're
probably going over the top here.  If your system can be compromised
to the extent that the normal filesystem protections can be overruled,
then the game is up anyhow --- someone wth that level of access can
easily get around the sort of restrictions you're proposing.

If the intent is to prevent accidental deletion or modification of the
files while you're logged in as root, then 'chflags schg' is probably
appropriate --- you don't need to run at secure level 2 for the schg
flag to take effect, but you can only turn off schg at secure level 0
or lower.

If you're really paranoid about the files, then you could consider
storing the files on a medium that is read-only at the hardware level:
eg. write the files to a CD-RW, which you then mount from a CD-ROM
drive, or use a hard drive you've jumpered to be read-only.  Or you
could use a file integrity checker, like tripwire (ports:
security/tripwire) --- you can keep the tripwire checksum database on
a write protected floppy.  You should also store known good copies of
the file off-line as a backup: hardware failure is very good at
erasing files despite all the precautions a sysadmin can take.

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020917100213.GA73070>