From owner-freebsd-security Sun Jun 20 21:58: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E622014D41; Sun, 20 Jun 1999 21:57:54 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA67251; Sun, 20 Jun 1999 22:57:50 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA95598; Sun, 20 Jun 1999 22:58:44 -0600 (MDT) Message-Id: <199906210458.WAA95598@harmony.village.org> To: Eivind Eklund Subject: Re: proposed secure-level 4 patch Cc: "Brian W. Buchanan" , FreeBSD-security Mailing List In-reply-to: Your message of "Sun, 20 Jun 1999 22:37:57 +0200." <19990620223757.K63035@bitbox.follo.net> References: <19990620223757.K63035@bitbox.follo.net> <19990620180356.J63035@bitbox.follo.net> Date: Sun, 20 Jun 1999 22:58:44 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <19990620223757.K63035@bitbox.follo.net> Eivind Eklund writes: : I won't go so far as to say that the introduction of securelevel 4 is : a regression (it is nice functionality when you want to truly secure a : box), but it would be much better if it came after having made : "securelevel" a set of orthogonal switches. I would go that far, or at least say that it isn't a desirable progression. A more general, and useful, feature would be to have some sysctls that become readonly at secure level 2 or greater. I could also be talked into making this a separate sysctl which once set cannot be unset. This would allow me to turn off binding of ports, turning on secure ports, turning other features on/off with a finer toothed comb. I do not think that the proposed secure level 4 would materially improve security and strikes me as a kludge. I do agree that there needs to be a secure way to keep it off once off, but secure level 4 isn't it. Speaking on the implementation issues, it would be sufficient to add a bit in the type field for the SYSCTL_PROC function. This bit would be checked before allowing the sysctl to be written. That stikes me as a much more useful way to do this. This issue was beaten to death in the NetBSD lists recently. I believe it was der Mouse that proposed this in (I think) netbsd-security. After secure level 2 the desired security features becomes more orthogonal. Warner FreeBSD security officer. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN23Ggdxynu/2qPVhAQHZUwP6AmRkKONv7MXgPH079gC4BEXY58o8D/0K K3COjWPMOtReNF7jh88QZVncqldQrif0UGgz2CC2O/sqTJw8l2Bcnv+9rcwqEevV e9+LkptKSR6ea9cluwtvja6X40Zqzs1FqPljDyabzT2wZXmlqv8FQlTrus/IJ12Z GAzO+FZ8rTY= =3uCm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message