Date: Thu, 1 Apr 1999 18:17:48 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Sean Eric Fagan <sef@kithrup.com> Cc: hackers@FreeBSD.ORG Subject: Re: Suggestion: loosen slightly securelevel>1 time change restriction Message-ID: <199904020217.SAA63090@apollo.backplane.com> References: <199904020033.QAA09981@medusa.kfu.com> <199904020137.RAA18306@kithrup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:In article <199904020130.RAA61810.kithrup.freebsd.hackers@apollo.backplane.com> you write:
:> the fact that Kerberos will fail of the time isn't synchronized between
:> machines and that NFS and many other subsystems will do weird things
:> when the time is out of sync between machines. The 'protection'
:> that securelevel is giving us, in regards to the time, is zip.
:
:I can't tell if this is an april fool's joke as well.
:
:The purpose of prohibiting setting the time backwards is to prevent a cracker
:from changing the ctime of a file to before he actually changed it. This
:change means you can do security audits more easily.
The current securelevel solution is a half-assed solution, IMHO. It
creates more problems then it solves.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904020217.SAA63090>