Date: Wed, 14 Mar 2001 11:42:58 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: freebsd-arch@FreeBSD.ORG Subject: Re: flags settings for modules Message-ID: <20010314114258.H29888@fw.wintelcom.net> In-Reply-To: <20010314111629.A1018@dragon.nuxi.com>; from TrimYourCc@NUXI.com on Wed, Mar 14, 2001 at 11:16:29AM -0800 References: <20010314111629.A1018@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* David O'Brien <TrimYourCc@NUXI.com> [010314 11:17] wrote: > I committed a change sys/conf/kmod.mk such that modules are now installed > with flags "schg" as the kernel has been forever. > > It was asked of me if the "schg" flags do much more than get in the > way now? Some feel we're really using "schg" mainly to inhibit foot > shooting. It doesn't really help security or we would set it on more > libraries than libc.so.* and a couple of crypto shared libraries. > > So the question is do we want to keep my change? If so, shouldn't we use > "schg" in a *lot* more places? Otherwise it's use is nebulous I see this as being really useful for kernel and modules. As far as using it in other places, it's a bit premature. I had the idea that a system utility that could enable a "highly secure/paraniod" mode could walk the fs adding 'schg' and stripping 'setuid' and 'setgid' on most installed binaries as well as adding the securelevel hooks to the system. The tool had better be able to undo this change as well when in single user mode. I don't see coding this tool as being a major excersize, it just could/ought to be done. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314114258.H29888>