From owner-freebsd-current@FreeBSD.ORG Thu Apr 12 17:28:12 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DBC2516A402; Thu, 12 Apr 2007 17:28:12 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id C540213C480; Thu, 12 Apr 2007 17:28:12 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id C796A1A4D82; Thu, 12 Apr 2007 10:28:20 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D4FE151578; Thu, 12 Apr 2007 13:28:11 -0400 (EDT) Date: Thu, 12 Apr 2007 13:28:11 -0400 From: Kris Kennaway To: Robert Watson Message-ID: <20070412172811.GA48309@xor.obsecurity.org> References: <200704112004.03903.lists@jnielsen.net> <20070412021645.GQ30772@cicely12.cicely.de> <20070412114135.C64803@fledge.watson.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: <20070412114135.C64803@fledge.watson.org> User-Agent: Mutt/1.4.2.2i Cc: John Nielsen , ticso@cicely.de, current@freebsd.org Subject: Re: ZFS to support chflags? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 17:28:12 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote: >=20 > On Thu, 12 Apr 2007, Bernd Walter wrote: >=20 > >On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote: > > > >>I just moved /usr over to a zpool on my -CURRENT system. Performance an= d=20 > >>stability are both excellent so far. (Thanks Pawel!) However I noticed= =20 > >>that setting FS flags on files with chflags is not supported. Would it = be=20 > >>feasible to add support for flags on ZFS, and if so are there plans to = do=20 > >>so? > >> > >>If not (and/or in the meantime), are there any places in the base syste= m=20 > >>where flags are required for normal operation? (/var maybe?) > > > >Some binaries have such flags set, but it is not required, otherwise=20 > >diskless NFS wouldn't work. I often see installworld warnings about beei= ng=20 > >unable to set extended flags on ld.so and others on my diskless boxes. >=20 > I'm not a big fan of setting these flags -- I fairly frequently run into= =20 > problems when I installworld an NFS root on the NFS host, then try to wor= k=20 > with it over NFS from the NFS-booted system, as the flags can't be remove= d=20 > via NFS. They don't offer a security benefit as-installed, and perhaps= =20 > offer a benefit with respect to preventing people from shooting themselve= s=20 > in the foot (or perhaps not). Yeah, historical intentions notwithstanding, the real benefit of schg flags on critical pieces is anti foot-shooting. e.g. you really don't want to accidentally delete ld-elf.so.1 or libc.so.7 or init. You can usually recover from this, but it can mess up your whole day :) Kris --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGHmwrWry0BWjoQKURAuy6AJ95vfke+IXYJtRxN5tAI3x5W8k3igCfX401 bGaT9rRIoMz+8xGkR+9Z9lk= =M29L -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx--