I try to get a better understanding of hardening OpenBSD systems and have been digging man pages, several books (incl. "The design and implementation of the 4.4BSD operating system") and the archives (but not the sources due to my lack of real C knowledge).
I could not find any answers regarding the following questions: 1) Why do flags not prevent the mount system call from using protected directories as mount points? I would guess that flags just "protect at inode level" while mount "happens at vnode level". I am just wondering why it is done this way because protection of important config or log files can be bypassed easily by mounting another file system on top of /etc or /var, for example. I think there must be a good reason for implementing flags this way and I would like to understand that. 2) In FreeBSD this problem seems to have been addressed by disabling mounting file systems in any securelevel higher than 1. I could not find any OpenBSD discussion regarding this. Could someone please provide a link or shed some light on this otherwise? Thanks in advance for any help. _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
