Date: Wed, 14 Mar 2001 21:18:05 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: freebsd-arch@freebsd.org Subject: Re: flags settings for modules Message-ID: <Pine.NEB.3.96L.1010314211549.87211A-100000@fledge.watson.org> In-Reply-To: <20010314111629.A1018@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The effects of schg can be mitigated by circumventing securelevels, which is trivial in most installs, especially in our default installs. Enabling schg in the default install offers little benefit (in fact, it's rather inconvenient). There are hardened environments where schg can be useful, but ours is not one of them. I'd like schg turned off in the default install to unbreak various forms of NFS stuff, and because it's a royal pain to keep stripping schg from binaries, libraries, modules, and the kernel when I need to manually twiddle as opposed to using the Makefile, which happens with surprising frequency as a result of a still-too-small root partition relative to the size of (kernel + modules). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Wed, 14 Mar 2001, David O'Brien wrote: > I committed a change sys/conf/kmod.mk such that modules are now installed > with flags "schg" as the kernel has been forever. > > It was asked of me if the "schg" flags do much more than get in the > way now? Some feel we're really using "schg" mainly to inhibit foot > shooting. It doesn't really help security or we would set it on more > libraries than libc.so.* and a couple of crypto shared libraries. > > So the question is do we want to keep my change? If so, shouldn't we use > "schg" in a *lot* more places? Otherwise it's use is nebulous > > -- > -- David (obrien@FreeBSD.org) > GNU is Not Unix / Linux Is Not UniX > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010314211549.87211A-100000>