Question about securelevel
Jim Zajkowski
jim at jimz.net
Wed Feb 11 07:35:22 PST 2004
On Feb 11, 2004, at 10:24 AM, roberto at redix.it wrote:
> Yes I agree with you: a secure system should be read-only fs, but to
> overcome the drawbacks of a CDROM, I can use a standard hardisk with a
> read-only file system while securelevel==3. The writable file system
> should be available in single user mode only on console.
If I figure out how to make your filesystem remount read-write without
a reboot, the game is over.
Running off a CD with a server which has a drive which cannot write
discs, it doesn't much matter if I figured out how to change the RO
mount or not, since the media itself cannot be written to [1]. Defense
in depth.
--Jim
[1] I suppose those flash-IDE thingamabobs that have a switch to toggle
to read-only work just as well here too.
More information about the freebsd-security
mailing list