Date: 26 Aug 2000 15:28:48 +0200 From: Slawek Zak <zaks@prioris.mini.pw.edu.pl> To: freebsd-security@freebsd.org Subject: Re: Securelevel and rw-remount Message-ID: <87n1i0talr.fsf@pf39.warszawa.sdi.tpnet.pl> In-Reply-To: Bruce Evans's message of "Sat, 26 Aug 2000 17:46:21 %2B1000 (EST)" References: <Pine.BSF.4.21.0008261740530.2018-100000@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce Evans <bde@zeta.org.au> writes:
> On 25 Aug 2000, Slawek Zak wrote:
>
> > Could someone tell me why is it possible to remount a read-only
> > mounted filesystem read-write after the securelevel is raised to 3? It
> > seems dangerous.
>
> Same reasonable as it is possible to use unmount and mount after the
> securelevel is raised to 3: someone considered this necessary for
> normal operation.
Well - I wouldn't call running system with secure level raised to 3
"normal operation". And yes - umounting fixed device filesystems
should be disabled (securelevel 4?)
> This seems reasonable, since disks can't be written to at
> securelevel 3, and a secure system shouldn't have any insecure
> devices attached, whether or not they are mounted.
Well - device mounted ro without the possibilty to write to it
either thru fs layer or raw device I *would* call secure. You can
have it using chflags -R schg, but it is very inconvenient when you
boot to single user and want to change something.
/S
--
"An expert is someone who knows more and more about less and less until
he/she knows absolutely everything about nothing."
--Weber's definition of Expert
* Suavek Zak / PGP: finger://zaks@prioris.mini.pw.edu.pl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87n1i0talr.fsf>