From owner-freebsd-security Tue Dec 28 11: 9: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id E646C154CA for ; Tue, 28 Dec 1999 11:08:52 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 953EB1B66; Tue, 28 Dec 1999 14:07:39 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14441.2683.366094.187063@anarcat.dyndns.org> Date: Tue, 28 Dec 1999 14:07:39 -0500 (EST) To: freebsd-security@freebsd.org Subject: Mounting / Read-Only X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid Reply-To: beaupran@iro.umontreal.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I am currently in the process of enforcing a policy of / and /usr being mounted read-only. I would like to know if other people have tried this policy and/or the modifications that have been needed. Right now, I have been forced to turn off "UPDATE_MOTD" (duh!). There is also the following lines in /etc/rc # Whack the pty perms back into shape. chflags 0 /dev/tty[pqrsPQRS]* chmod 666 /dev/tty[pqrsPQRS]* chown root:wheel /dev/tty[pqrsPQRS]* that give annoying warnings (read-only filesystem). A good idea would be to change it to: # Whack the pty perms back into shape. chflags 0 /dev/tty[pqrsPQRS]* 2> /dev/null chmod 666 /dev/tty[pqrsPQRS]* 2> /dev/null chown root:wheel /dev/tty[pqrsPQRS]* 2> /dev/null since it does not produce any output normally either. I was also wondering... If we can modify the status (RW/RO) of a mounted filesystem (/ included) with mount -u, why bother? :)) What is the purpose of mounting a filesystem ReadOnly, since it can be disabled? Does it serve the same function as the schg flag? I think the securelevel does not change this behavior, right? Anyways, any personal experiences or advices are welcome. Thanks The AnarCat -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora ------- end of forwarded message ------- -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message