I try to get a better understanding of hardening OpenBSD

systems and have been digging man pages, several books (incl.

"The design and implementation of the 4.4BSD operating system")

and the archives (but not the sources due to my lack of real C

knowledge).
I could not find any answers regarding the following questions:
1) Why do flags not prevent the mount system call from using

protected directories as mount points?
I would guess that flags just "protect at inode level" while

mount "happens at vnode level".
I am just wondering why it is done this way because protection

of important config or log files can be bypassed easily by

mounting another file system on top of /etc or /var, for example.
I think there must be a good reason for implementing flags this

way and I would like to understand that.
2) In FreeBSD this problem seems to have been addressed by

disabling mounting file systems in any securelevel higher than 1.
I could not find any OpenBSD discussion regarding this.

Could someone please provide a link or shed some light on this

otherwise?
Thanks in advance for any help.
_____________________________________________________________________

Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!

http://smartsurfer.web.de/?mc=100071&distributionid=000000000066