how can I lock a directory with chflags schg ?
I have a directory with particular permissions on it, etc., that I want to make _absolutely sure_ never gets changed to different permissions. So I figured, easy, I'll just: chflags schg /dir but I notice that once you chflags schg a directory, you can no longer write to that directory. Is this correct ? Am I also correct that I _can_ continue to write to subdirectories of the schg directory ? (I seem to be able to) Is there any way to lock down a directory the way i want to, and still be able to write to it ? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: chflags schg
On Fri, Sep 27, 2002 at 11:42:48AM +0930, Wilkinson,Alex wrote: > Howdy all, > > When setting the the sytem/user immutable flag on a file is there anyway > to tell by looking at the file's perms that it has been set immuteable ? > Or is there a command to check this ? 'ls -lo' will show you the file flags. Marcus To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: chflags schg
[EMAIL PROTECTED] said: > When setting the the sytem/user immutable flag on a file is there > anyway to tell by looking at the file's perms that it has been set > immuteable ? Or is there a command to check this ? >From "man ls" -o Include the file flags in a long (-l) output. so "ls -lo /kernel*" gives: -r-xr-xr-x 1 root wheel schg 1458708 Jul 30 09:01 /kernel -r-xr-xr-x 1 root wheel -3258128 Nov 21 2000 /kernel.GENERIC /kernel has schg, but kernel.GENERIC has no flags set. Tony -- Tony Landells <[EMAIL PROTECTED]> Principal Networks, Security & IT Systems Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty LtdFax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
chflags schg
Howdy all, When setting the the sytem/user immutable flag on a file is there anyway to tell by looking at the file's perms that it has been set immuteable ? Or is there a command to check this ? Thanks - aW To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
mount read only || chflags schg & sec level 2
Hi, I'm looking for away to write protect some files whats the pros and cons with having the file on a seperate partition and mount that read-only or use the chflags schg and go to kernel security level 2? / Jim. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: mount read only || chflags schg & sec level 2
At 09:55 2002-09-17 -0400, you wrote: >Jimmy Lantz <[EMAIL PROTECTED]> writes: > > > I'm looking for away to write protect > > some files whats the pros and cons > > with having the file on a seperate partition and mount that read-only > > or use the chflags schg and go to kernel security level 2? > >*Either* way you probably want to raise the security level. A >read-only mount doesn't help if it can be re-mounted writeable. If >the files *have* to be in the same directory with writeable files (as >for many systems is true of /etc), schg can be a very good solution. What files in /etc needs to be writeable? I was just thinking mounting it read-only. >If the files aren't part of the standard system at all, then as >someone else suggested, write-only media are an easy answer. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: mount read only || chflags schg & sec level 2
Jimmy Lantz <[EMAIL PROTECTED]> writes: > I'm looking for away to write protect > some files whats the pros and cons > with having the file on a seperate partition and mount that read-only > or use the chflags schg and go to kernel security level 2? *Either* way you probably want to raise the security level. A read-only mount doesn't help if it can be re-mounted writeable. If the files *have* to be in the same directory with writeable files (as for many systems is true of /etc), schg can be a very good solution. If the files aren't part of the standard system at all, then as someone else suggested, write-only media are an easy answer. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: mount read only || chflags schg & sec level 2
On Tue, Sep 17, 2002 at 10:39:10AM +0200, Jimmy Lantz wrote: > I'm looking for away to write protect > some files whats the pros and cons > with having the file on a seperate partition and mount that read-only > or use the chflags schg and go to kernel security level 2? Either should work fine at keeping your files read-only, but you're probably going over the top here. If your system can be compromised to the extent that the normal filesystem protections can be overruled, then the game is up anyhow --- someone wth that level of access can easily get around the sort of restrictions you're proposing. If the intent is to prevent accidental deletion or modification of the files while you're logged in as root, then 'chflags schg' is probably appropriate --- you don't need to run at secure level 2 for the schg flag to take effect, but you can only turn off schg at secure level 0 or lower. If you're really paranoid about the files, then you could consider storing the files on a medium that is read-only at the hardware level: eg. write the files to a CD-RW, which you then mount from a CD-ROM drive, or use a hard drive you've jumpered to be read-only. Or you could use a file integrity checker, like tripwire (ports: security/tripwire) --- you can keep the tripwire checksum database on a write protected floppy. You should also store known good copies of the file off-line as a backup: hardware failure is very good at erasing files despite all the precautions a sysadmin can take. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
mount read only || chflags schg & sec level 2
Hi, I'm looking for away to write protect some files whats the pros and cons with having the file on a seperate partition and mount that read-only or use the chflags schg and go to kernel security level 2? / Jim. NB. I'm sending this for the second time, and I do apologize if this in fact was posted yesterday, I've been through the archives for the list and didnt see my post anywhere hence the repost. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
