Date: Wed, 20 Dec 2000 23:12:05 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Alfred Perlstein <bright@wintelcom.net>, Mark Zielinski <markz@2cactus.com>, cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220231205.W96105@149.211.6.64.reflexcom.com> In-Reply-To: <20001220175931.E22288@citusc.usc.edu>; from kris@FreeBSD.ORG on Wed, Dec 20, 2000 at 05:59:31PM -0800 References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 20, 2000 at 05:59:31PM -0800, Kris Kennaway wrote: > On Wed, Dec 20, 2000 at 05:41:29PM -0800, Alfred Perlstein wrote: [snip] > > Actually, securelevel as a all-covering blanket would work better > > if people implemented fixes for it like a solution for the mount > > problem described here. > > That still doesn't alter the fact that only a single reboot is needed > to undo the restrictions. Could you elaborate on what scenario you are describing? Of course if the attacker has physical access, he is a reboot away from getting by securelevel. But is there a remote attack involving a reboot which negates securelevel besides the obvious case where the rc* files (and init, and kernel, and... ) are not sufficiently protected? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001220231205.W96105>