Things to remove from /rescue
Ceri Davies
setantae at submonkey.net
Thu Jul 17 01:46:24 PDT 2003
On Thu, Jul 17, 2003 at 01:43:33AM -0700, John-Mark Gurney wrote:
> David O'Brien wrote this message on Thu, Jul 17, 2003 at 01:08 -0700:
> > - ipfw & natd & ipf & ipfs & ipfstat & ipmon & ipnan, why would one needs
> > these? /rescue is to fix a borked /, not replace PicoBSD.
>
> ipfw I can see as useful. If you have a kernel that defaults to closed,
> and you need to access the network, then this is a problem. If we had
> a loader tunable to make a closed firewall open, then this wouldn't be
> needed, but then we introduce the fun security hole of /boot/loader.conf
> munging, which is minor... if someone can modify /boot/loader.conf, you
> have bigger fish to fry..
There's the net.inet.ip.fw.enable sysctl.
I'm also dubious about /rescue/vi; does this actually work when / is hosed?
Ceri
--
More information about the freebsd-arch
mailing list