Source string Read only

(itstool) path: answer/para
Context English State
The most common way to accomplish this is to build a simulated environment in a subdirectory and then run the processes in that directory chrooted so that <filename>/</filename> for that process is this directory, not the real <filename>/</filename> of the system).
Another common use is to mount an underlying file system read-only and then create a file system layer on top of it that gives a process a seemingly writeable view into that file system. The process may believe it is able to write to those files, but only the process sees the effects — other processes in the system do not, necessarily.
An attempt is made to make this sort of sandbox so transparent that the user (or hacker) does not realize that he is sitting in it.
<trademark class="registered">UNIX</trademark> implements two core sandboxes. One is at the process level, and one is at the userid level.
Every <trademark class="registered">UNIX</trademark> process is completely firewalled off from every other <trademark class="registered">UNIX</trademark> process. One process cannot modify the address space of another.
A <trademark class="registered">UNIX</trademark> process is owned by a particular userid. If the user ID is not the <systemitem class="username">root</systemitem> user, it serves to firewall the process off from processes owned by other users. The user ID is also used to firewall off on-disk data.
What is securelevel?
<literal>securelevel</literal> is a security mechanism implemented in the kernel. When the securelevel is positive, the kernel restricts certain tasks; not even the superuser (<systemitem class="username">root</systemitem>) is allowed to do them. The securelevel mechanism limits the ability to:
Unset certain file flags, such as <literal>schg</literal> (the system immutable flag).
Write to kernel memory via <filename>/dev/mem</filename> and <filename>/dev/kmem</filename>.
Load kernel modules.



New source string

FreeBSD Doc / books_faqEnglish

New source string 3 months ago
Browse all component changes


English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: answer/para
No labels currently set.
Source string location
Source string age
3 months ago
Translation file
, string 827