From owner-freebsd-security  Wed Sep 17 12:06:24 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA02815
          for security-outgoing; Wed, 17 Sep 1997 12:06:24 -0700 (PDT)
Received: from login.bigblue.no (root@login.bigblue.no [194.19.68.12])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA02808
          for <freebsd-security@freebsd.org>; Wed, 17 Sep 1997 12:06:17 -0700 (PDT)
Received: from eagle.bigblue.no (eagle.bigblue.no [194.19.68.13])
          by login.bigblue.no (8.8.7/8.8.5) with SMTP id VAA01931;
          Wed, 17 Sep 1997 21:06:07 +0200 (MET DST)
Message-Id: <199709171906.VAA01931@login.bigblue.no>
From: "Frode Nordahl" <froden@bigblue.no>
To: "Mikael Karpberg" <karpen@ocean.campus.luth.se>
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Date: Wed, 17 Sep 97 21:06:04 +0100
Reply-To: "Frode Nordahl" <froden@bigblue.no>
Priority: Normal
X-Mailer: PMMail 1.92 For OS/2
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: schg flag...
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 17 Sep 1997 20:58:19 +0200 (CEST), Mikael Karpberg wrote:

>> Ok... Well then's a question, why is FreeBSD's standard mode to run in
>> leve -1?  Isn't that a bit suicidal?
>
>No, it's practical. Running at a higher securelevel just makes things harder
>for you. Compiling a new kernel, etc. Why bother making your computer a
>fortress when you really don't have much important data on it? It's just
>annoying to have to lower the drawbridge every time you wanna run out to
>pick a fresh apple. :-)
>
>Ofcourse, when you set up a server which actually contains data you can't
>afford to loose, or having someone unauthorised read, then you should
>probably raise the secure level. But most machines running FreeBSD are
>most likely just workstations, which can be wiped and reinstalled if
>anything really bad happens. Therefor that's the default.

I can understand that!  I would really hate it if I had those limitations on my workstation, but the install program, or the 
rc.conf file should mention it somewhere.

One of our FreeBSD boxes run as a user shell-account server.  And with all of those "mad" users running arround, 
having some security is pretty nice.  Okay, if something happends, we can allways reinstall, but that costs us time, 
money, and reputation.  So the box is to be as secure as possible at any time.
_____________________________________________________________
Frode Nordahl         | P.B. 2509 Solli | Tel +47 22 20 47 18
Teknisk ansvarlig     | 0202 Oslo       | Fax +47 22 20 39 19
Computer Tjenester AS | Norway          | froden@bigblue.no