In-Reply-To: <4ae3c140504170912b36e9b1@mail.gmail.com>
References: <4ae3c14050417085473bd365f@mail.gmail.com> <20050417160306.GB777@alpha.home.local> <4ae3c140504170912b36e9b1@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <efa44afd521dbc92f406cbbfd18ae9bd@mac.com>
Content-Transfer-Encoding: 7bit
Cc: Willy Tarreau <willy@w.ods.org>, linux-kernel@vger.kernel.org
From: Kyle Moffett <mrmacman_g4@mac.com>
Subject: Re: Why Ext2/3 needs immutable attribute?
Date: Sun, 17 Apr 2005 12:23:02 -0400
To: Xin Zhao <uszhaoxin@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1359
Lines: 36

On Apr 17, 2005, at 12:12, Xin Zhao wrote:
> Thanks for your reply.
>
> Yes. I know,  with immutable,  even root cannot modify sensitive
> files. What I am curious is if an intruder has root access, he may
> have many ways to turn off the immutable protection and modify files.
> So immutable is designed just to prevent a valid root from making
> silly mistakes?
>
> Xin

But without the proper capability, root _can't_ change the immutable
bit.  Of course, that also applies to DAC checks too.  Personally, I
find the immutable bit most useful at preventing accidents.  I have
several scripts designed specifically to access the same file, and I
want to prevent one of my admins from accidentally editing that file
by hand.  The best way is with a big comment in the file itself and
the immutable bit.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r  
!y?(-)
------END GEEK CODE BLOCK------


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/