On 6/26/08, flags-question@web.de  wrote:

quoted text
>  1) Why do flags not prevent the mount system call from using

>  protected directories as mount points?

>

>  I would guess that flags just "protect at inode level" while

>  mount "happens at vnode level".

Exactly.
>  I am just wondering why it is done this way because protection

quoted text
>  of important config or log files can be bypassed easily by

>  mounting another file system on top of /etc or /var, for example.

Define protection.  It is not possible to modify these files.  They

are protected.  If you think you should be able to read the correct

contents of these files, remember that the system has been

compromised.  The attacker can make you see anything they want by

directly manipulating your process's memory, regardless of what

filesystems are mounted or not.
The goal of securelevel was that once set, you could take a

compromised machine off the network, reboot it, and it would no longer

be compromised.  It would still be vulnerable, but there would be no

permanent changes to prevent a post-mortem.