Date: Wed, 11 Feb 2004 10:35:07 -0500 From: Jim Zajkowski <jim@jimz.net> To: freebsd-security@freebsd.org Subject: Re: Question about securelevel Message-ID: <DF1C2DE5-5CA7-11D8-A225-000A95DA58FE@jimz.net> In-Reply-To: <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it><79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> <1295.192.168.0.77.1076513042.squirrel@mail.redix.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 11, 2004, at 10:24 AM, roberto@redix.it wrote: > Yes I agree with you: a secure system should be read-only fs, but to > overcome the drawbacks of a CDROM, I can use a standard hardisk with a > read-only file system while securelevel==3. The writable file system > should be available in single user mode only on console. If I figure out how to make your filesystem remount read-write without a reboot, the game is over. Running off a CD with a server which has a drive which cannot write discs, it doesn't much matter if I figured out how to change the RO mount or not, since the media itself cannot be written to [1]. Defense in depth. --Jim [1] I suppose those flash-IDE thingamabobs that have a switch to toggle to read-only work just as well here too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DF1C2DE5-5CA7-11D8-A225-000A95DA58FE>