From owner-cvs-all  Thu Mar  8  8:19: 8 2001
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id A621637B71A; Thu,  8 Mar 2001 08:19:03 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.1/8.11.1) with SMTP id f28GFMh81968;
	Thu, 8 Mar 2001 11:15:22 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 8 Mar 2001 11:15:22 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Kris Kennaway <kris@obsecurity.org>
Cc: Will Andrews <will@physics.purdue.edu>,
	"Jordan K. Hubbard" <jkh@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/sysinstall config.c menus.c src/usr.sbin/sysinstall/help security.hlp
In-Reply-To: <20010308081201.C84789@mollari.cthul.hu>
Message-ID: <Pine.NEB.3.96L.1010308111417.71958D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Thu, 8 Mar 2001, Kris Kennaway wrote:

> On Thu, Mar 08, 2001 at 08:33:54AM -0500, Will Andrews wrote:
> > On Thu, Mar 08, 2001 at 02:16:57AM -0800, Jordan Hubbard wrote:
> > >   Log:
> > >   Fix some of the security profile messages to be more explanatory
> > >   and also obey most of the rules of english in their construction.
> > >   
> > >   Add a help screen for the security menu which gives the user a rough idea
> > >   just what the various security profiles do.
> > 
> > You really should mention that certain security profiles make it
> > impossible to start X without making another change.  I.e., warn a user
> > about securitylevel vs. XFree86.
> 
> I thought it worked as long as you started it before raising securelevel.

Yes, but if you have a program running with those privileges, you lose the
benefits of secure levels with regards to the relevant protections, as a
privileged process can attach to the X server using debugging interfaces
to gain access to the privileges.

I.e., securelevels suck. :-)

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message