Hi gang,
I'll be honest and blunt here: I did some research on my question before asking but not as thorough as I could have (meaning: glimpsing at Google and searching this forum). I'm quite agitated at the time of writing, luckily for me messing with FreeBSD and setting up a cool VPN at my hosting provider (consisting of some of my VPS's there) made somewhat up for it. I mentioned it more often but administrating FreeBSD actually and honestly gives me a dose of satisfaction.
I'm ready to "use the source". I partially rely on freebsd-update (or maybe not at all) and leave the rest up to my checked out copy of /usr/src.
When trying to update my jail I noticed an error:
Obviously FreeBSD's security scheme is too good for my own doing 
It took me a while to find out, but I know what's up:
As you may suspect by now: my kern.securelevel sits at 1.
Now, this isn't the problem; it only requires me to think up a specific security schema for my jail, quite frankly I love surprises like these.
My question concerns this:
My optimized, trimmed down and secured kernel, all based on the GENERIC configuration (with an extra thanks to @wblock@ for helping me look at the obvious ).
My question: Would there be any (unwanted?) nasty side-effects from setting an immutable flag on kernel and both zfs.ko and opensolaris.ko?
I can't think of any, I also can't imagine that it would (note: I obviously do not consider "not being able to update your kernel" an 'unwanted nasty side-effect' :e) but here's hoping someone of you guys can either confirm or rebut my current conclusion.
And thanks in advance for your help. As said; I did some research, but... oh well :stud
I'll be honest and blunt here: I did some research on my question before asking but not as thorough as I could have (meaning: glimpsing at Google and searching this forum). I'm quite agitated at the time of writing, luckily for me messing with FreeBSD and setting up a cool VPN at my hosting provider (consisting of some of my VPS's there) made somewhat up for it. I mentioned it more often but administrating FreeBSD actually and honestly gives me a dose of satisfaction.
I'm ready to "use the source". I partially rely on freebsd-update (or maybe not at all) and leave the rest up to my checked out copy of /usr/src.
When trying to update my jail I noticed an error:
Code:
install: rename: /usr/jails/dogma/lib/INS@3SfO to /usr/jails/dogma/lib/libc.so.7: Operation not permitted
*** [_libinstall] Error code 71It took me a while to find out, but I know what's up:
Code:
root@smtp2:/usr/jails/dogma/lib # ls -lo libc.so.7
-r--r--r-- 1 root wheel [FILE]schg[/FILE] 1367760 Sep 1 20:09 /usr/jails/dogma/lib/libc.so.7Now, this isn't the problem; it only requires me to think up a specific security schema for my jail, quite frankly I love surprises like these.
My question concerns this:
Code:
$ ls -lo /boot/kernel
total 9247
-r-xr-xr-x 1 root wheel - 7447049 Sep 18 23:26 kernel
-rw-r--r-- 1 root wheel - 6652 Sep 19 04:03 linker.hints
-r-xr-xr-x 1 root wheel - 13768 Sep 19 04:03 opensolaris.ko
-r-xr-xr-x 1 root wheel - 1946120 Sep 19 04:03 zfs.koMy question: Would there be any (unwanted?) nasty side-effects from setting an immutable flag on kernel and both zfs.ko and opensolaris.ko?
I can't think of any, I also can't imagine that it would (note: I obviously do not consider "not being able to update your kernel" an 'unwanted nasty side-effect' :e) but here's hoping someone of you guys can either confirm or rebut my current conclusion.
And thanks in advance for your help. As said; I did some research, but... oh well :stud
Last edited by a moderator:
I'm not sure if locking down the kernel executable prevents an intruder who has root privileges from changing the kernel. I'm thinking that it's still possible to rename and delete files in the enclosing directory and replace the locked kernel executable with a tampered one even with securelevel set.
