ZFS to support chflags?
Kris Kennaway
kris at obsecurity.org
Thu Apr 12 17:28:12 UTC 2007
On Thu, Apr 12, 2007 at 11:42:37AM +0100, Robert Watson wrote:
>
> On Thu, 12 Apr 2007, Bernd Walter wrote:
>
> >On Wed, Apr 11, 2007 at 08:04:03PM -0400, John Nielsen wrote:
> >
> >>I just moved /usr over to a zpool on my -CURRENT system. Performance and
> >>stability are both excellent so far. (Thanks Pawel!) However I noticed
> >>that setting FS flags on files with chflags is not supported. Would it be
> >>feasible to add support for flags on ZFS, and if so are there plans to do
> >>so?
> >>
> >>If not (and/or in the meantime), are there any places in the base system
> >>where flags are required for normal operation? (/var maybe?)
> >
> >Some binaries have such flags set, but it is not required, otherwise
> >diskless NFS wouldn't work. I often see installworld warnings about beeing
> >unable to set extended flags on ld.so and others on my diskless boxes.
>
> I'm not a big fan of setting these flags -- I fairly frequently run into
> problems when I installworld an NFS root on the NFS host, then try to work
> with it over NFS from the NFS-booted system, as the flags can't be removed
> via NFS. They don't offer a security benefit as-installed, and perhaps
> offer a benefit with respect to preventing people from shooting themselves
> in the foot (or perhaps not).
Yeah, historical intentions notwithstanding, the real benefit of schg
flags on critical pieces is anti foot-shooting. e.g. you really don't
want to accidentally delete ld-elf.so.1 or libc.so.7 or init.
You can usually recover from this, but it can mess up your whole day
:)
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20070412/42deea48/attachment.pgp
More information about the freebsd-current
mailing list