Re: Immutable files
And thus spake Matthew Wilcox, on Wed, Dec 24, 1997 at 01:41:27AM +0000:
> From a security point of view, it might be considered worthwhile to install
> system executables (particularly the suid ones) and then mark them immutable.
> This does stop some common attacks from succeeding, and it might prevent some
> stupid things accidentally done as root. My Debian 1.2.10 system (okay, it
> was an oldish CD-ROM..) has no files marked as immutable. Has this been
> considered for the hamm release?
Immutability, append-only, and other kernel securelevel-dependent things
really need to be managed on a site basis.
As it stands, immutability is really pretty useless, and until the kernel
securelevel mechanism is fully implemented it's really just not something
to try to set up globally.
Securelevel flags also add a completely new level of complexity to package
management, if you require the dpkg system to maintain them. If you want
to use immutable/append-only, go for it; some of us like to be able to
upgrade our installations 5 or 6 times before we have to reboot.
--
Elie Rosenblum <erosenbl@nyx.net> That is not dead which can eternal lie,
<fnord@cosanostra.net> And with strange aeons even death may die.
Developer / Mercenary / System Administrator - _The Necromicon_
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: