From owner-freebsd-questions@FreeBSD.ORG Fri Dec 24 02:01:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D7D116A4CE for ; Fri, 24 Dec 2004 02:01:54 +0000 (GMT) Received: from mail4.speakeasy.net (mail4.speakeasy.net [216.254.0.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id F392043D54 for ; Fri, 24 Dec 2004 02:01:53 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 21695 invoked from network); 24 Dec 2004 02:01:53 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail4.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 24 Dec 2004 02:01:53 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 7065B44; Thu, 23 Dec 2004 21:01:52 -0500 (EST) Sender: lowell@be-well.ilk.org To: Mark References: <20041222223050.A67744@logik.ath.cx> From: Lowell Gilbert Date: 23 Dec 2004 21:01:52 -0500 In-Reply-To: <20041222223050.A67744@logik.ath.cx> Message-ID: <44is6ssbcf.fsf@be-well.ilk.org> Lines: 26 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: Xorg & xdm & securelevels X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2004 02:01:54 -0000 Mark writes: > I would like to push my securelevel up to 1 in order to better enforce > my security policy (protecting chflags, kernel modules etc) but this > of course would break Xorg as it requires access to /dev/io. I've > heard that it's possible to run Xorg via xdm whilst the system is > booting at securelevel 0 and have the securelevel raised afterwards, > effectively allowing X to live in a securelevel > 0 environment. Sure. I don't bother for my own machines, because I'm very careful about authentication methods, but it's certainly > How painful is this to implement? Am I likely to run into any > major problems? It's trivial to implement, and will work fine. If I remember correctly, setting the securelevel by the normal rc.conf method and enabling xdm from ttys(5) should do it. > I've also heard that it's possible to remove the SUID bit from X > by using xdm, but that's probably for another thread... Yep, completely different topic. It's true that it's possible, but if you're in a raised securelevel, it's also not going to gain you much.