From owner-freebsd-stable  Thu May 31  5:30:24 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169])
	by hub.freebsd.org (Postfix) with SMTP
	id 6044537B422; Thu, 31 May 2001 05:30:20 -0700 (PDT)
	(envelope-from dpelleg@gs166.sp.cs.cmu.edu)
Date: Thu, 31 May 2001 08:30:09 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: freebsd-security@freebsd.org
Cc: freebsd-stable@freebsd.org
Subject: remounts (was: Re: adding "noschg" to ssh and friends)
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
From: Dan Pelleg <dpelleg+bsd@REMOVEcs.cmu.edu>
Reply-To: Dan Pelleg <dpelleg+bsd@REMOVEcs.cmu.edu>
Message-Id: <20010531123020.6044537B422@hub.freebsd.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


"Karsten W. Rohrbach" <karsten@rohrbach.de> wrote:
> there are some real high-impact tweaks to be a little bit safer from
> rootkits. one of them is mounting /tmp noexec. drawback: you got to
> remount it exec for make installworld.

 I always wondered... Why are remounts permitted in all securelevels? I
mean, in a locked-down system where it's acceptable to force a reboot in
order to upgrade (or run a rootkit), I should be able to enforce read-only
mounts. Currently anyone (well, root) can just mount -u -w them.

 Is this an implementation problem in mount(2)? (I haven't looked at the
code). Or is this going to break things for people (amd?  in high
securelevels?). What am I missing?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message