From owner-freebsd-security  Fri Oct  5  2: 8:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shikima.mine.nu (pc1-card3-0-cust143.cdf.cable.ntl.com [62.252.49.143])
	by hub.freebsd.org (Postfix) with ESMTP id 23E2237B407
	for <security@freebsd.org>; Fri,  5 Oct 2001 02:08:11 -0700 (PDT)
Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1)
	id 15pQy8-00009K-00
	for security@freebsd.org; Fri, 05 Oct 2001 10:08:32 +0100
Date: Fri, 5 Oct 2001 10:08:32 +0100
From: Rasputin <rasputin@submonkey.net>
To: security@freebsd.org
Subject: Re: Kernel-loadable Root Kits
Message-ID: <20011005100832.A547@shikima.mine.nu>
Reply-To: Rasputin <rasputin@submonkey.net>
References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011004173535.0A2DE3B19D@gemini.nersc.gov>; from dart@nersc.gov on Thu, Oct 04, 2001 at 10:35:34AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Eli Dart <dart@nersc.gov> [011004 19:30]:
> 
> In reply to "Crist J. Clark" <cristjc@earthlink.net> :
> 
> [snip]
> 
> > Have fun. Unless there is outpouring from people who love the idea,
> > I'm not going to commit these to FreeBSD.
> 
> Please consider this as part of an outpouring of support from people 
> who love the idea.

"me too".

Isn't this fairly common among the other BSDs as well?

An alternative to securelevel is sometimes useful,
and KLDs are a fairly well-known attack method against *BSD.

I don't see any harm in adding it as an option - it's doesn't have to
(definitely shouldn't be) the default, of course.

> I don't always have the option of running a box 
> in securelevel 1, and I would like to have this knob available, even 
> though it doesn't fix the problem all the way.  Something similar 
> used to exist in FreeBSD 3.x -- I was sorry when it went away.
> 
> 		--eli

--
Rasputin :: Jack of All Trades - Master of Nuns ::

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message