Subject: re: verified executable kernel modification committed
To: Andrew Brown <atatat@atatdot.net>
From: matthew green <mrg@eterna.com.au>
List: current-users
Date: 10/31/2002 01:43:25
   >   ...and it also can't tell you if the raw disk was frobbed out from
   >   underneath you.  chflags protects things at the ffs layer.  if you go
   >   below that, all bets are off.
   >
   >i dunno.  chflags isn't useful (*) without securelevel > 1 anyway,
   >at which point you can't frob the raw disk without physical (console)
   >access...
   
   make that securelevel > 0, since at securelevel 1, you can no longer
   clear sappnd or schg.

no, i meant what i said.  securelevel == 1 IMO is a waste of time.
it is pain that just hurts without really helping (devices are still
writable... so anything is possible, including removing various
flags...)
   
   >i guess my point is if i can modify the raw disk i can pretty much
   >do whatever i like already, regardless of vexec - i can probably 
   >change the vexec-ok list and cause a reboot - sure, you will notice
   >this but to attack the machine protected with chflags would need as
   >much force - a shutdown to single user or more.
   
   true, but that's more complex than merely changing the binary.
   
   >this is not to say i don't find vexec useful.  i know several
   >systems that i will definately use it on.  i just don't think it
   >necessarily is inherently more secure than chflags protection.
   
   well, it's certainly not less.

yes.  and actually, i think the point of "you can't run trojans"
is nice...