|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
From: jchacon
genuity.netDate: Thu Oct 26 2000 - 21:51:04 CDT
- Next message: Charles M. Hannum: "New Mozilla ports available"
- Previous message: security-officernetbsd.org: "NetBSD Security Advisory 2000-015"
- In reply to: Andrew Brown: "Re: security sysctl? (was: r/o filesystem restrictions for firewall?)"
- Reply: jchacongenuity.net: "Re: security sysctl? (was: r/o filesystem restrictions for firewall?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
When you mount a vnd you're mounting from a block device (and reading the
code for sys_mount if you try and mount at all with securelevel 2 it
refuses unless you're updating an existing one to r/o).
I'm actually not sure you can even do the remount from r/w -> r/o because
there's code making sure MNT_RELOAD only happens if the current mount is
r/o. So the check below it would never happen on an existing disk that's
mounted r/w and tries to update to r/o. I need to test to make sure though.
James
>
>
>On Wed, Oct 25, 2000 at 11:09:51PM -0400, Thor Lancelot Simon wrote:
>>On Wed, Oct 25, 2000 at 09:14:11PM -0400, jchacongenuity.net wrote:
>>> Does securelevel 2 prevent you from mounting any new devices as well?
>>>
>>> i.e. can I vnconfig and mount that file?
>>
>>You know, this discussion is rather frustrating to me because all of the
>>relevant details are pretty well documented. I quote the init(8) manual
>>page:
>>
>> 2 Highly secure mode - same as secure mode, plus disks are always
>> read-only whether mounted or not, new disks may not be mounted, and
>> existing mounts may only be downgraded from read-write to read-on-
>> ly. This level precludes tampering with filesystems by unmounting
>> them, but also inhibits running newfs(8) while the system is multi-
>> user.
>
>it doesn't explicitly disallow vnconfig or mounting a vnd. i suggest
>that either (a) that which is not expressly forbidden is allowed, or
>(b) the second instance of the word "disks" in the paragraph abocveve
>should be changed to "filesystems".
>
>--
>|-----< "CODE WARRIOR" >-----|
>codewarriordaemon.org * "ah! i see you have the internet
>twofsonetgraffiti.com (Andrew Brown) that goes *ping*!"
>andrewcrossbar.com * "information is power -- share the wealth."
>
>
>
>
- Next message: Charles M. Hannum: "New Mozilla ports available"
- Previous message: security-officernetbsd.org: "NetBSD Security Advisory 2000-015"
- In reply to: Andrew Brown: "Re: security sysctl? (was: r/o filesystem restrictions for firewall?)"
- Reply: jchacongenuity.net: "Re: security sysctl? (was: r/o filesystem restrictions for firewall?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]