Background fsck is broken

[Poul-Henning Kamp]

In message <m33by7zula.fsf at merlin.emma.line.org>, Matthias Andree writes:
>"Poul-Henning Kamp" <phk at phk.freebsd.dk> writes:
>
>> In message <20041215105326.GO25967 at ip.net.ua>, Ruslan Ermilov writes:
>>
>>>Are you saying it's not possible to downgrade the open to
>>>(r=1, w=0, e=0) when a file system is downgraded from R/W to R/O?
>>
>> Yes: that would make a read-only mounted filesystem vulnerable to
>> overwriting through the /dev entry and we don't want that.
>>
>> The problem is that we do not in the kernel know if we are in single
>> user mode or not.
>
>What difference does this make? Aren't secure levels or mandatory access
>control and similar schemes sufficient to prevent tampering with direct
>device access?

No.

>Why would not root be allowed to nuke a read-only mounted file system?
>root has other means to trash a system, including writing junk into the
>hardware registers.

Just because root can go out of his way to do something stupid doesn't
mean that we should make it easier to make an honest mistake.

>On my wishlist, I've always wanted a "networked single user mode"
>(i. e. only sshd running, only root login with key possible), and I've
>always wondered why the whole system recovery is focused so much on the
>principle of a "single-user console".

Implement it!  I've wanted that for a long time too.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.