From owner-freebsd-hackers  Sat Feb 17 22:13:03 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id WAA27262
          for hackers-outgoing; Sat, 17 Feb 1996 22:13:03 -0800 (PST)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id WAA27238
          for <hackers@freebsd.org>; Sat, 17 Feb 1996 22:12:34 -0800 (PST)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id RAA29273; Sun, 18 Feb 1996 17:08:54 +1100
Date: Sun, 18 Feb 1996 17:08:54 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199602180608.RAA29273@godzilla.zeta.org.au>
To: hackers@freebsd.org, uhclem@nemesis.lonestar.org
Subject: Re: Is "immutable" supposed to be a good idea?
Sender: owner-hackers@freebsd.org
Precedence: bulk

>[4]I vaguely remember that some of these flags were not supposed to
>[4]come into effect until the system went into multi-user mode..

No, see the init man page.

>That would be OK *if* we waited until the system was all the way up
>before going into that mode.  In my case, fsck bombed and
>offered me a sh.   The system is apparently already in this
>"secure" mode at that point.  

By default, the system is always in insecure mode (security level -1;
use `sysctl kern.securelevel' to see the level).

>The same was true if I booted -s.  By the time I got a shell, 
>the system was honoring the immut flag.

The immututable flags are always honoured.  In secure mode, you can't
turn then off.  In highly secure mode, you can write to the disk
directly to turn them off.

>If secure mode is something we turn on during the boot process,

You'd be really unhappy if we turned on secure mode :-).

>[4]I don't think these flags should be noticed till root decides to go
>[4]'secure'

>I agree.

I disagree.  The problem is that the immutable flags are set by default
on systems that will never run in secure mode.  This provides some
protection against root doing stupid things, but very little security.

The immutable flags aren't much use for protecting binaries and
libraries anyway.  Root can bypass them by moving the directory out of
the way.  Only their contents is protected.  Protecting contents is
useful for log files, but log files aren't immutable or append-only by
default.

Bruce