Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Apr 2007 15:55:09 +0200
From:      Bernd Walter <ticso@cicely12.cicely.de>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        John Nielsen <lists@jnielsen.net>, ticso@cicely.de, current@FreeBSD.org
Subject:   Re: ZFS to support chflags?
Message-ID:  <20070412135508.GX30772@cicely12.cicely.de>
In-Reply-To: <20070412133301.L99718@fledge.watson.org>
References:  <200704112004.03903.lists@jnielsen.net> <20070412021645.GQ30772@cicely12.cicely.de> <20070412114135.C64803@fledge.watson.org> <20070412112045.GR30772@cicely12.cicely.de> <20070412133301.L99718@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Apr 12, 2007 at 01:34:11PM +0100, Robert Watson wrote:
> 
> On Thu, 12 Apr 2007, Bernd Walter wrote:
> 
> >>I'm not a big fan of setting these flags -- I fairly frequently run into 
> >>problems when I installworld an NFS root on the NFS host, then try to 
> >>work with it over NFS from the NFS-booted system, as the flags can't be 
> >>removed via NFS.  They don't offer a security benefit as-installed, and 
> >>perhaps offer a benefit with respect to preventing people from shooting 
> >>themselves in the foot (or perhaps not).
> >
> >They do add security benefits for jails. E.g. hardlink system binaries 
> >over multiple jails flaged immuteable. No jail can compromise the data in 
> >other jails, while still allowing the kernel to share memory pages for it.
> 
> However, the standard installworld doesn't do this.  I'm don't object to 
> the flags existing, it's rather that I think that the incremental benefit 
> of the cases where we do set them by default via installworld isn't there.  
> If you're going to use schg to protect jails, it basically requires setting 
> the flag on all the directories and files that are shared, and that 
> wouldn't be a good default either. :-)

Agreed - the base usage of those flags isn't a big win.
Never saw your NFS problem, but that is only because I either cpio'ed my
new host-root directories or update on the NFS-server in a chroot.
So it was just luck that I did not saw it yet.

It would be nice to have them in ZFS for other purpose.

-- 
B.Walter                http://www.bwct.de      http://www.fizon.de
bernd@bwct.de           info@bwct.de            support@fizon.de

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070412135508.GX30772>