On Wed, 19 Oct 2005, Roman Rodyakin wrote:
> On Wed, Oct 19, 2005 at 08:44:49AM +0200, Otto Moerbeek wrote:
> >
> > On Wed, 19 Oct 2005, Roman Rodyakin wrote:
> >
> > > I have been recently thinking about trade-offs involved in running
> > > servers at the securelevel 2. In securelevel 2, it is possible to mount
> > > a MFS over an arbitrary disk directory and create arbitrary files in it,
> > > including those that have system immutable flags set in the original
> > > (disk) filesystem. This would essentially allow an attacker to
> > > circumvent the system immutable flag until the reboot.
> > >
> > > My question is then this: what is the rationale, if any, for allowing
> > > mount_mfs in securelevel 2?
> > >
> > > Not that it is a big deal (as MFS can be disabled in the kernel IIRC), I
> > > am just wondering if I am perhaps misunderstanding the concept of
> > > securelevel and protections allowed by it.
> > >
> > > I searched both mailing list archives and Google, but couldn't find
> > > anything relevant. Feel free to point me to earlier discussions on the
> > > subject, if there were any.
> >
> > Mounting in general is allowed, so why should mount_mfs be disallowed?
>
> Correct me if I'm wrong, but I thought that, unlike most other mount_XXX
> commands, mount_mfs not only mounts a filesystem, but also creates it,
> essentially also doing what newfs does on a disk partition. newfs,
> however, fails in securelevel 2.
So you prepare the image somewhere else and transfer it.
> That said, I can totally see your point though, as singling out one file
> system type and disabling mounting it can certainly be viewed as
> inconsistent.
-Otto
