Date: Sun, 18 Feb 1996 17:08:54 +1100 From: Bruce Evans <bde@zeta.org.au> To: hackers@freebsd.org, uhclem@nemesis.lonestar.org Subject: Re: Is "immutable" supposed to be a good idea? Message-ID: <199602180608.RAA29273@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>[4]I vaguely remember that some of these flags were not supposed to >[4]come into effect until the system went into multi-user mode.. No, see the init man page. >That would be OK *if* we waited until the system was all the way up >before going into that mode. In my case, fsck bombed and >offered me a sh. The system is apparently already in this >"secure" mode at that point. By default, the system is always in insecure mode (security level -1; use `sysctl kern.securelevel' to see the level). >The same was true if I booted -s. By the time I got a shell, >the system was honoring the immut flag. The immututable flags are always honoured. In secure mode, you can't turn then off. In highly secure mode, you can write to the disk directly to turn them off. >If secure mode is something we turn on during the boot process, You'd be really unhappy if we turned on secure mode :-). >[4]I don't think these flags should be noticed till root decides to go >[4]'secure' >I agree. I disagree. The problem is that the immutable flags are set by default on systems that will never run in secure mode. This provides some protection against root doing stupid things, but very little security. The immutable flags aren't much use for protecting binaries and libraries anyway. Root can bypass them by moving the directory out of the way. Only their contents is protected. Protecting contents is useful for log files, but log files aren't immutable or append-only by default. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602180608.RAA29273>