From owner-freebsd-hackers  Tue Apr 23 20:45:40 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 072D937B41A; Tue, 23 Apr 2002 20:45:35 -0700 (PDT)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3O3jOw45443;
	Tue, 23 Apr 2002 23:45:24 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 23 Apr 2002 23:45:23 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Greg 'groggy' Lehey" <grog@FreeBSD.org>
Cc: Jordan Hubbard <jkh@winston.freebsd.org>,
	Oscar Bonilla <obonilla@galileo.edu>,
	Anthony Schneider <aschneid@mail.slc.edu>,
	Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>,
	hackers@FreeBSD.org
Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
In-Reply-To: <20020424125345.B50826@wantadilla.lemis.com>
Message-ID: <Pine.NEB.3.96L.1020423234154.64976o-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:

> I think the issue is POLA.  Sure, we can put in individual knobs to
> twiddle, but who will do that?  I thought that securelevel would have
> been a suitable solution to say "I want approximately *this* much
> security".  If that's not the case, then we need a few generic
> statements which can then be further refined. 

FWIW, the place where this should really go is the X11 configuration tool
-- if we extend the configurability of an application, the confuration
twiddles for that should live (and be documented) in the normal places for
that application, and not have any hooks of this sort in the base system.

BTW, one really good reason not to tie securelevel and X11 behavior is
that securelevels (when high) specifically break X11, and likewise, other
management functionality that you might want to use with X11.  Overloading
twiddles in this manner is a bad thing :-). 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message