Question about securelevel

Jim Zajkowski jim at jimz.net
Wed Feb 11 07:35:22 PST 2004


On Feb 11, 2004, at 10:24 AM, roberto at redix.it wrote:

> Yes I agree with you: a secure system should be read-only fs, but to
> overcome the drawbacks of a CDROM, I can use a standard hardisk with a
> read-only file system while securelevel==3. The writable file system
> should be available in single user mode only on console.

If I figure out how to make your filesystem remount read-write without 
a reboot, the game is over.

Running off a CD with a server which has a drive which cannot write 
discs, it doesn't much matter if I figured out how to change the RO 
mount or not, since the media itself cannot be written to [1].  Defense 
in depth.

--Jim

[1] I suppose those flash-IDE thingamabobs that have a switch to toggle 
to read-only work just as well here too.



More information about the freebsd-security mailing list