From owner-freebsd-security  Sat Jun 19 23:11: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from beach.silcom.com (beach.silcom.com [199.201.128.19])
	by hub.freebsd.org (Postfix) with ESMTP id A091114D6D
	for <freebsd-security@FreeBSD.ORG>; Sat, 19 Jun 1999 23:11:07 -0700 (PDT)
	(envelope-from brian@CSUA.Berkeley.EDU)
Received: from smarter.than.nu (pm0-31.vpop1.avtel.net [207.71.237.31])
	by beach.silcom.com (Postfix) with ESMTP
	id DE3FA3B6; Sat, 19 Jun 1999 23:11:03 -0700 (PDT)
Date: Sat, 19 Jun 1999 23:11:03 -0700 (PDT)
From: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>
X-Sender: brian@smarter.than.nu
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: proposed secure-level 4 patch
In-Reply-To: <199906200450.OAA05782@cheops.anu.edu.au>
Message-ID: <Pine.BSF.4.05.9906192235070.70357-100000@smarter.than.nu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 20 Jun 1999, Darren Reed wrote:

> Man, that's nasty.  Reboot to restart something.

Security and convenience are almost always a tradeoff.  Running at
securelevel 1 (and using it properly) means you can't upgrade a lot of
stuff live, can't purge logs, can't load modules, etc.  Running at
securelevel 2 means you can't newfs while running multi-user.  Level 3
means you can't change your IPFW rules.  Each time you tighten security,
you give up a little convenience to gain a little peace of mind.

In the proposed case, people who are paranoid about having a root
compromise lead to someone binding a modified version of sshd or other
login daemon to steal passwords can bring the system to securelevel 4
after daemon startup and ensure that the attacker cannot simply kill sshd
and replace it.  Well-written daemons should *not* die unless killed, and
if you're running with a positive securelevel, you've already given up the
luxury of live upgrades.  To minimize downtime due to dead daemons, just
spawn everything from inetd and make darn sure that inetd won't die unless
root decides it should.

Anyway, this all boils down to a matter of choice.  If you value being
able to restart daemons without rebooting, then don't use this level of
protection.

-- 
Brian Buchanan                                     brian@CSUA.Berkeley.EDU
--------------------------------------------------------------------------
FreeBSD - The Power to Serve!                       http://www.freebsd.org

daemon(n): 1. an attendant power or spirit : GENIUS
           2. the cute little mascot of the FreeBSD operating system




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message