From owner-freebsd-questions Tue Jul 16 15:13:07 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA29911 for questions-outgoing; Tue, 16 Jul 1996 15:13:07 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA29900 for ; Tue, 16 Jul 1996 15:13:03 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA03182; Tue, 16 Jul 1996 18:12:41 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: David McNab cc: kelly@fsl.noaa.gov, black@MR.Net, questions@FreeBSD.ORG From: "Gary Palmer" Subject: Re: can't delete rcp In-reply-to: Your message of "Tue, 16 Jul 1996 11:17:37 PDT." <199607161817.LAA03277@baygate.bayarea.net> Date: Tue, 16 Jul 1996 18:12:41 -0400 Message-ID: <3178.837555161@orion.webspan.net> Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk David McNab wrote in message ID <199607161817.LAA03277@baygate.bayarea.net>: > This "flags" thing looks like an abomination to > me. What is the rationale behind it, and where did it > come from? Simple. Security. If you add a `schg' (system immutable) flag to a file, then increase the kernel security level (currently -1 as it causes problems in some situations) to be 1 or more, then you CANNOT remove the flag and CANNOT change the binary without booting single user. So if you set schg on all the system binaries, and run at a higher security level on your servers, the security is increased quite a bit ... of course, even this should make you sleep easy at nights if you haven't taken other precautions too... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info