From owner-cvs-all  Wed Apr 25 13: 8:17 2001
Delivered-To: cvs-all@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9E70337B440; Wed, 25 Apr 2001 13:07:59 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 2EEBE66E41; Wed, 25 Apr 2001 13:07:59 -0700 (PDT)
Date: Wed, 25 Apr 2001 13:07:59 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Warner Losh <imp@harmony.village.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/conf Makefile.alpha Makefile.i386 Makefile.ia64 Makefile.pc98
Message-ID: <20010425130758.A79694@xor.obsecurity.org>
References: <200104252000.f3PK04826409@harmony.village.org> <Pine.NEB.3.96L.1010425160211.40560A-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1010425160211.40560A-100000@fledge.watson.org>; from rwatson@FreeBSD.org on Wed, Apr 25, 2001 at 04:03:56PM -0400
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 25, 2001 at 04:03:56PM -0400, Robert Watson wrote:
> On Wed, 25 Apr 2001, Warner Losh wrote:
>=20
> > In message <Pine.NEB.3.96L.1010425101646.34527A-100000@fledge.watson.or=
g> Robert Watson writes:
> > : Better yet, disable the setting of flags. :-)
> >=20
> > I'd love to do that.  Would people support me?=20
>=20
> It seems to come up every now and then.  Frankly, I'd like to see them
> disabled by default, as they break install onto a variety of non-FFS file
> systems, in jail(), and cause a lot of POLA.  And they offer no real
> benefit in the default install (arguably you might be able to configure
> securelevels to do what they claim, but it will require a lot more thank
> sprinkling noschg on a few kernel modules).=20

Well, I've been saved from a trashed system more than once by the schg
flag on libc..the only real benefit they have is as an
anti-foot-shooting device, but they do pretty well at that.

Kris

--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE65y6eWry0BWjoQKURAjGRAKCqKdaT5vRNX+99BxbvLsp2kWeMbwCg7oaJ
U+IZKTaVm8KZoZqK5pSnmts=
=KXuQ
-----END PGP SIGNATURE-----

--u3/rZRmxL6MmkK24--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message