From owner-freebsd-security  Fri Nov 10 11:52:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from pike.osd.bsdi.com (pike.osd.bsdi.com [204.216.28.222])
	by hub.freebsd.org (Postfix) with ESMTP
	id 636AC37B4C5; Fri, 10 Nov 2000 11:52:20 -0800 (PST)
Received: from laptop.baldwin.cx (john@dhcp241.osd.bsdi.com [204.216.28.241])
	by pike.osd.bsdi.com (8.11.0/8.9.3) with ESMTP id eAAJq6H78698;
	Fri, 10 Nov 2000 11:52:06 -0800 (PST)
	(envelope-from jhb@FreeBSD.org)
Message-ID: <XFMail.001110115242.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <Pine.NEB.3.96L.1001109230111.54529A-100000@fledge.watson.org>
Date: Fri, 10 Nov 2000 11:52:42 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.org>
Subject: Re: About FreeBSD securelevel
Cc: freebsd-security@FreeBSD.org, Aleksey Zvyagin <zal@ping.ru>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On 10-Nov-00 Robert Watson wrote:
> 
> These are well-known vulnerabilities that have been discussed in detail
> previously: it is widely recognized that securelevels are a flawed scheme
> that (in effect) attempts to be a subset of a mandatory integrity policy +
> some diminished privilege availability.  The securelevel(8) man page
> should be updated to indicate that it is not supported, and recent commits
> to enable the securelevel in sysinstall's higher security profiles should
> be reverted.  The securelevel functionality is inherited from BSD 4.4lite.

We don't have MAC's yet though.  If you can provide a replacement for it, then
go ahead and axe it, otherwise, I wouldn't kill it yet.  When do you expect to
be able to replace its functionality?  If you will have it in by 5.0, then you
can go ahead and say it is deprecated in 5.0 and 4.x now.  If not until 6.0,
then just say it is deprecated in 5.0 only.  Regardless, I wouldn't axe the
functionality or the sysinstall hooks until the replacement functionality is
committed.

-- 

John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message