Date: Mon, 15 Jun 1998 00:09:56 +0200 From: Eivind Eklund <eivind@yes.no> To: Niall Smart <njs3@doc.ic.ac.uk>, dima@best.net, Darren Reed <avalon@coombs.anu.edu.au> Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Message-ID: <19980615000956.57060@follo.net> In-Reply-To: <E0ylKaT-0001Nb-00@oak71.doc.ic.ac.uk>; from Niall Smart on Sun, Jun 14, 1998 at 10:45:17PM %2B0100 References: <eivind@yes.no> <E0ylKaT-0001Nb-00@oak71.doc.ic.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 14, 1998 at 10:45:17PM +0100, Niall Smart wrote: > Propagating the immutable flag leads to a dramatic improvement, not > propagating it leads to a a meagre improvement, in fact it could be > construed as taking a step backwards due to over confidence in the > security of the system just because the secure levels wand has been > waved. Propagating it is not a dramatic improvement unless you have some way of logging killed processes. We presently don't, I believe.. > I still haven't heard one convincing argument for not propagating the > immutable flag, and have given plenty for. I'm in favour, if you also patch kern_sig.c to print out the fact that something has been killed, and that it had the immutable flag set. Otherwise, I can't see that it is useful at all. (It'd be nice to print the RUID of the process that sent the signal, too, but that might be difficult to aquire) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980615000956.57060>