Date: Fri, 4 Oct 1996 09:48:10 +0900 (JST) From: Michael Hancock <michaelh@cet.co.jp> To: Garrett Wollman <wollman@lcs.mit.edu> Cc: current@freebsd.org Subject: Re: Immutable flags (was: Re: WARNING: botched ld.so commit! :-() Message-ID: <Pine.SV4.3.93.961004093100.20989C-100000@parkplace.cet.co.jp> In-Reply-To: <9610031334.AA12862@halloran-eldar.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Oct 1996, Garrett Wollman wrote: > <<On Thu, 3 Oct 1996 06:30:22 +0900 (JST), Michael Hancock <michaelh@cet.co.jp> said: > > > /kernel is marked immutable. I'd like to be able to configure systems > > such that you can't change the flags unless you are in single user mode > > even if you're root. > > sysctl -w kern.securelevel=0 #in /etc/rc.local How many deamons are running by the time you get to this line? This isn't satisfactory, I don't want the -1 to 0 window fullstop. This is a yet another 4.4 advance over other Unix implementations, yet we hide it. If this security level stuff has a holes in it we are unlikely to find them and fix them if the initialization isn't exported to us in kernel config because hardly anyone will use it. The false sense of security argument is bogus. Why can't we export it like all the other BSDs? They call it INSECURE which toggles -1 or 0, we can call it something else following the "principle of least astonishment to newbies". options INITIAL_SECURITY_LEVEL=0 #man init for details Regards, Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SV4.3.93.961004093100.20989C-100000>