Date: Sun, 20 Jun 1999 18:03:56 +0200 From: Eivind Eklund <eivind@FreeBSD.ORG> To: Frank Tobin <ftobin@bigfoot.com> Cc: FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: proposed secure-level 4 patch Message-ID: <19990620180356.J63035@bitbox.follo.net> In-Reply-To: <Pine.BSF.4.10.9906190053050.60212-200000@srh0710.urh.uiuc.edu>; from Frank Tobin on Sat, Jun 19, 1999 at 12:56:19AM -0500 References: <Pine.BSF.4.10.9906190053050.60212-200000@srh0710.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 19, 1999 at 12:56:19AM -0500, Frank Tobin wrote: > Okay, a good friend of mine Kris Wehner has written a patch to implement > the proposed securelevel of 4, which would disallow the opening of > secure ports (<1024) while in the securelevel of 4. The patch is against > 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments > before I send it as a send-pr. The patch is attached. I think using securelevel 4 for this is a bad idea. I believe the right thing to do with securelevels is to start splitting them into a set of different sysctls, where each individual feature can be turned off. It is convenient to have a set of sysctls you can use to "turn off everything" (like securelevel does today). However, to apply a "full securelevel" to a box is difficult; the ability to throw away single capabilities could be very useful. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990620180356.J63035>