ZFS to support chflags?

Kris Kennaway kris at obsecurity.org
Thu Apr 12 17:28:12 UTC 2007

On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote:
> On Thu, 12 Apr 2007, Bernd Walter wrote:
> >On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote:
> >
> >>I just moved /usr over to a zpool on my -CURRENT system. Performance and 
> >>stability are both excellent so far. (Thanks Pawel!) However I noticed 
> >>that setting FS flags on files with chflags is not supported. Would it be 
> >>feasible to add support for flags on ZFS, and if so are there plans to do 
> >>so?
> >>
> >>If not (and/or in the meantime), are there any places in the base system 
> >>where flags are required for normal operation? (/var maybe?)
> >
> >Some binaries have such flags set, but it is not required, otherwise 
> >diskless NFS wouldn't work. I often see installworld warnings about beeing 
> >unable to set extended flags on ld.so and others on my diskless boxes.
> I'm not a big fan of setting these flags -- I fairly frequently run into 
> problems when I installworld an NFS root on the NFS host, then try to work 
> with it over NFS from the NFS-booted system, as the flags can't be removed 
> via NFS.  They don't offer a security benefit as-installed, and perhaps 
> offer a benefit with respect to preventing people from shooting themselves 
> in the foot (or perhaps not).

Yeah, historical intentions notwithstanding, the real benefit of schg
flags on critical pieces is anti foot-shooting.  e.g. you really don't
want to accidentally delete ld-elf.so.1 or libc.so.7 or init.
You can usually recover from this, but it can mess up your whole day

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20070412/42deea48/attachment.pgp

More information about the freebsd-current mailing list