From owner-freebsd-security Thu Mar 11 16:26:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (s205m7.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 6DDB1150D2 for ; Thu, 11 Mar 1999 16:26:50 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id QAA99732; Thu, 11 Mar 1999 16:25:22 -0800 (PST) From: Archie Cobbs Message-Id: <199903120025.QAA99732@bubba.whistle.com> Subject: Re: FreeBSD SKIP port updated In-Reply-To: <199903120019.KAA05025@frenzy.ct> from Mark Newton at "Mar 12, 99 10:49:07 am" To: newton@camtech.com.au (Mark Newton) Date: Thu, 11 Mar 1999 16:25:22 -0800 (PST) Cc: ark@eltex.ru, freebsd-security@Freebsd.org Reply-To: eeBSD.ORG@whistle.com X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Newton writes: > > I thought the disabling of KLD's only blocked the kldload() process. > > Guess not. > > From a brief look at the source, you might be right. > > This is bad. I'd think disabling KLDs should totally disable the > in-kernel linker. Otherwise someone could get new modules into your > kernel by adding 'em to loader.rc and forcing a reboot. The counter argument to that is that if someone can modify this file or reboot your computer they already are root and can pretty much do anything anyway, regardless of the securelevel setting. I'm sure there are counter-counter arguments to this though :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message