Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Apr 1998 09:39:16 -0400
From:      Marca Registrada <inf@nyef.res.cmu.edu>
To:        FreeBSD-Security@FreeBSD.ORG, FreeBSD-Stable@FreeBSD.ORG
Subject:   Re: kernel permissions
Message-ID:  <19980416093916.41527@nyef.res.cmu.edu>
In-Reply-To: <199804160511.WAA03453@burka.rdy.com>; from Dima Ruban on Wed, Apr 15, 1998 at 10:11:28PM -0700

next in thread | previous in thread | raw e-mail | index | archive | help

Quoting Dima Ruban (dima@best.net):
> Okay. Here's an example. Ever hear of a commertially available drivers?
> When you install such stuff, you don't want somebody to be able to read
> them, or have a copy of kernel with them. Why? Because you did pay for them
> and whoever wants to have an access - didnt.

  That would seem to be the exception rather than the norm. While I dont'
debate why _some_ people would want a 440 kernel it feels like the
security argument hasn't been filled, and otherwise, its creates the ever
bit more presense of 'hostility' towards the user, and in this case, an
unfounded one.  I've actually had friends logged into my system 'borrow'
my kernel config for their own system, make comments "Hrmm, so how's devfs
working for you?" and do the same throughout most of my system, being that
I'm the local "FreeBSD guru" who has converted people around him and
(unknowningly?) took on the obligation to help. 

  I've always been one for 'conf' options, so might I suggest this be a
thing for 'config' to handle or a make.conf option?  As a matter of fact,
I was very happy that sendmail became a make.conf option, seeing as I use
qmail and nearly ALWAYS forgot to replace sendmail after a make world.  I
think many such obvious policy issues should be configurable, with the
predominant view the default.

--- make.conf ---

# To compile just the kernel with special optimisations, you should use
# this instead of CFLAGS (which is not applicable to kernel builds
anyway):
#
COPTFLAGS= -O2 -pipe

KERNEL_OWNER  root.kmem
KERNEL_PERMS 444
#KERNEL_PERMS  440

...

  Possibly in a more stylistically suitable format? 

--

   - All we hear is internet gaagaa, internet googoo, internet gaagaa


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980416093916.41527>