Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-kern
Date: 10/26/2000 10:59:07
On Wed, Oct 25, 2000 at 11:09:51PM -0400, Thor Lancelot Simon wrote:
>On Wed, Oct 25, 2000 at 09:14:11PM -0400, jchacon@genuity.net wrote:
>> Does securelevel 2 prevent you from mounting any new devices as well?
>>
>> i.e. can I vnconfig and mount that file?
>
>You know, this discussion is rather frustrating to me because all of the
>relevant details are pretty well documented. I quote the init(8) manual
>page:
>
> 2 Highly secure mode - same as secure mode, plus disks are always
> read-only whether mounted or not, new disks may not be mounted, and
> existing mounts may only be downgraded from read-write to read-on-
> ly. This level precludes tampering with filesystems by unmounting
> them, but also inhibits running newfs(8) while the system is multi-
> user.
it doesn't explicitly disallow vnconfig or mounting a vnd. i suggest
that either (a) that which is not expressly forbidden is allowed, or
(b) the second instance of the word "disks" in the paragraph abocveve
should be changed to "filesystems".
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."