Date: Fri, 25 Jun 1999 01:13:04 -0500 (CDT) From: Frank Tobin <ftobin@bigfoot.com> To: FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: file flags during low securelevels Message-ID: <Pine.BSF.4.10.9906250107320.63311-100000@srh0710.urh.uiuc.edu> In-Reply-To: <Pine.BSF.3.96.990625005320.25811F-100000@earth.anet-stl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jason Young, at 01:02 on Fri, 25 Jun 1999, wrote: > In what situations are you running into problems with schg/sappnd? There's > only a few things that are schg/sappnd out of the box, and those targets > are handled by make world and the kernel install target automatically > assuming you're in an appropriate securelevel. I haven't looked that thorougly into the 'make world' installation process, but from watching output, it doesn't seem like it removes file flags from files it installs. Only on the ones in /usr/obj. > An admin who has the knowledge, need and will to remove schg/sappnd flag > protections should just do it - "chflags -R noschg nosappnd /." This doesn't preserve the current state of flags on the filesystem. It requires the admin going back through and resetting all the flags. Like I stated before, having this sort of knob would allow various programs on startup to ignore the state of these flags before the securelevel is raised, permitting them to do various things like rotate syslog, write out state information (SKIP), and a few other things. There are probably a lot I'm not thinking off. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906250107320.63311-100000>