Date: Fri, 10 Nov 2000 14:05:39 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: Aleksey Zvyagin <zal@ping.ru>, freebsd-security@FreeBSD.ORG Subject: Re: About FreeBSD securelevel Message-ID: <20001110140539.A79150@citusc17.usc.edu> In-Reply-To: <Pine.NEB.3.96L.1001109230111.54529A-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Thu, Nov 09, 2000 at 11:03:34PM -0500 References: <001101c04a67$87b88e40$9600a8c0@zal.ping.ru> <Pine.NEB.3.96L.1001109230111.54529A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 09, 2000 at 11:03:34PM -0500, Robert Watson wrote: >=20 > These are well-known vulnerabilities that have been discussed in detail > previously: it is widely recognized that securelevels are a flawed scheme > that (in effect) attempts to be a subset of a mandatory integrity policy + > some diminished privilege availability. The securelevel(8) man page > should be updated to indicate that it is not supported, and recent commits > to enable the securelevel in sysinstall's higher security profiles should > be reverted. The securelevel functionality is inherited from BSD 4.4lite. Well, even though securelevel doesn't prevent security breaches, it imposes a road block in order to get around them, and this can and does stop some (admittedly not very bright) attackers. Since it's also the best we have for now, I think the manpage should be updated to document the failings of the system and that they will hopefully be addressed in 5.0 with the trustedbsd MAC implementation. I'll try and write something up over the weekend. Kris --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoMcTMACgkQWry0BWjoQKXm4QCgpuD5s7MjGzWdxad70j3wR4TC kO0AoIDfNEmMZCbhazpNS1ngCRId5nRy =9TMh -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001110140539.A79150>