From owner-freebsd-security  Wed May 22 15:43:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.deltanet.com (mail.deltanet.com [216.237.144.132])
	by hub.freebsd.org (Postfix) with ESMTP id 95B4437B405
	for <freebsd-security@FreeBSD.ORG>; Wed, 22 May 2002 15:43:45 -0700 (PDT)
Received: from mammoth.eat.frenchfries.net (da001d0308.lax-ca.osd.concentric.net [64.0.145.53])
	by mail.deltanet.com (8.11.6/8.11.6) with ESMTP id g4MMMYO23152
	for <freebsd-security@FreeBSD.ORG>; Wed, 22 May 2002 15:22:35 -0700
Received: by mammoth.eat.frenchfries.net (Postfix, from userid 1000)
	id 6DDF952A6; Wed, 22 May 2002 15:41:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mammoth.eat.frenchfries.net (Postfix) with ESMTP
	id 6B46A529A; Wed, 22 May 2002 15:41:53 -0700 (PDT)
Date: Wed, 22 May 2002 15:41:53 -0700 (PDT)
From: Paul Herman <pherman@frenchfries.net>
X-X-Sender: pherman@mammoth.eat.frenchfries.net
To: Stephanie Wehner <_@r4k.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: file flags in /modules
In-Reply-To: <20020522194304.GA70619@r4k.net>
Message-ID: <20020522151939.I51256-100000@mammoth.eat.frenchfries.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 22 May 2002, Stephanie Wehner wrote:

> Is there any particular reason why the immutable flag is turned
> on for /kernel, but not for any loadable modules ?

Facetious answer:
Yes.  To make you think more about security. :-)

Informative answer:
What good would it do?  Assuming securelevel > 0, the kernel won't
let you kldload(2) modules anyway.

You could rightly argue that someone could overwrite a particular
module and then reboot the machine in order to have it loaded, but
then /modules wouldn't be your only worry.  You'd have to protect
many files, including but not limited to:

  /modules
  /etc/rc
  /etc/rc.*
  /usr/local/etc/rc.d/*
  /boot/*
  /bin, /sbin, /usr/lib, and so on...

Which renders systems less usable than most people would like.
You don't want to go down that road.

securelevel is a nice comprimise for most people, but it has its
limitations.  If this is important to you, you might look into
mandatory access control systems used in trusted systems, like
TrustedBSD.

-Paul.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message