Date: Thu, 15 Mar 2001 04:03:14 +0100 From: Andrea Campi <andrea@webcom.it> To: freebsd-arch@freebsd.org Subject: Re: flags settings for modules Message-ID: <20010315040314.H3277@webcom.it> In-Reply-To: <20010314184051.A64088@hub.freebsd.org>; from TrimYourCC@nuxi.com on Wed, Mar 14, 2001 at 06:40:51PM -0800 References: <20010314111629.A1018@dragon.nuxi.com> <Pine.NEB.3.96L.1010314211549.87211A-100000@fledge.watson.org> <20010315032215.G3277@webcom.it> <20010314184051.A64088@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 06:40:51PM -0800, David O'Brien wrote: > On Thu, Mar 15, 2001 at 03:22:16AM +0100, Andrea Campi wrote: > > Why don't we make it a make(1) variable? > > I would like to fight the "lets make everything a tuneable knob" syndrom > I think we've falling into lately. First lets see if anyone really needs > or wants those flag values. Well, I understand your point of view, but in my opinion there are 2 user groups involved here: security conscious guys, who would like to have all "immutable" files, including all binaries on /, all libraries, whatever (heck, on production machines I'd have /etc/* schg), and more casual users (or users with particular needs) who don't want that because it incomodates that. Apart from the kernel, where I feel schg should stay no matter what, I feel both of these user groups have good reasons. Which one would you favor? Having a knob, probably defaulting to "only kernel schg" for POLA, would be perfect and trivial to implement. On the other hand, this kind of hardening is a candidate for ports/misc/harden... Bye, Andrea -- There's no place like ~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315040314.H3277>