Date: Thu, 15 Mar 2001 04:03:14 +0100 From: Andrea Campi <andrea@webcom.it> To: freebsd-arch@freebsd.org Subject: Re: flags settings for modules Message-ID: <20010315040314.H3277@webcom.it> In-Reply-To: <20010314184051.A64088@hub.freebsd.org>; from TrimYourCC@nuxi.com on Wed, Mar 14, 2001 at 06:40:51PM -0800 References: <20010314111629.A1018@dragon.nuxi.com> <Pine.NEB.3.96L.1010314211549.87211A-100000@fledge.watson.org> <20010315032215.G3277@webcom.it> <20010314184051.A64088@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 06:40:51PM -0800, David O'Brien wrote:
> On Thu, Mar 15, 2001 at 03:22:16AM +0100, Andrea Campi wrote:
> > Why don't we make it a make(1) variable?
>
> I would like to fight the "lets make everything a tuneable knob" syndrom
> I think we've falling into lately. First lets see if anyone really needs
> or wants those flag values.
Well, I understand your point of view, but in my opinion there are 2
user groups involved here: security conscious guys, who would like to
have all "immutable" files, including all binaries on /, all libraries,
whatever (heck, on production machines I'd have /etc/* schg), and more
casual users (or users with particular needs) who don't want that because
it incomodates that.
Apart from the kernel, where I feel schg should stay no matter what, I
feel both of these user groups have good reasons. Which one would you
favor?
Having a knob, probably defaulting to "only kernel schg" for POLA,
would be perfect and trivial to implement.
On the other hand, this kind of hardening is a candidate for
ports/misc/harden...
Bye,
Andrea
--
There's no place like ~
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315040314.H3277>