On Wed, Oct 19, 2005 at 08:44:49AM +0200, Otto Moerbeek wrote: > > On Wed, 19 Oct 2005, Roman Rodyakin wrote: > > > I have been recently thinking about trade-offs involved in running > > servers at the securelevel 2. In securelevel 2, it is possible to mount > > a MFS over an arbitrary disk directory and create arbitrary files in it, > > including those that have system immutable flags set in the original > > (disk) filesystem. This would essentially allow an attacker to > > circumvent the system immutable flag until the reboot. > > > > My question is then this: what is the rationale, if any, for allowing > > mount_mfs in securelevel 2? > > > > Not that it is a big deal (as MFS can be disabled in the kernel IIRC), I > > am just wondering if I am perhaps misunderstanding the concept of > > securelevel and protections allowed by it. > > > > I searched both mailing list archives and Google, but couldn't find > > anything relevant. Feel free to point me to earlier discussions on the > > subject, if there were any. > > Mounting in general is allowed, so why should mount_mfs be disallowed?
Correct me if I'm wrong, but I thought that, unlike most other mount_XXX commands, mount_mfs not only mounts a filesystem, but also creates it, essentially also doing what newfs does on a disk partition. newfs, however, fails in securelevel 2. That said, I can totally see your point though, as singling out one file system type and disabling mounting it can certainly be viewed as inconsistent.
