From owner-freebsd-questions Thu Oct 10 22:32:59 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0359137B401 for ; Thu, 10 Oct 2002 22:32:59 -0700 (PDT) Received: from mrv.tusur.ru (mrv.tusur.ru [212.192.120.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B248243ECD for ; Thu, 10 Oct 2002 22:32:20 -0700 (PDT) (envelope-from mrv@mrv.tusur.ru) Received: from mrv.tusur.ru (localhost [127.0.0.1]) by mrv.tusur.ru (8.12.6/8.12.5) with ESMTP id g9B4OGak003732 for ; Fri, 11 Oct 2002 12:24:16 +0800 (KRAST) (envelope-from mrv@mrv.tusur.ru) Received: (from mrv@localhost) by mrv.tusur.ru (8.12.6/8.12.6/Submit) id g9B4OGvA003731 for freebsd-questions@FreeBSD.ORG; Fri, 11 Oct 2002 12:24:16 +0800 (KRAST) Date: Fri, 11 Oct 2002 12:24:16 +0800 From: "Roman V. Mashak" To: freebsd-questions@FreeBSD.ORG Subject: Re: Security questions Message-ID: <20021011042416.GA3718@mrv.tusur.ru> Mail-Followup-To: "Roman V. Mashak" , freebsd-questions@FreeBSD.ORG References: <20021009.22451000.4017525480@rafter.> <20021010023701.GJ21391@hades.hell.gr> <20021010.10135300.3745751216@rafter.> <20021010102838.GN21391@hades.hell.gr> <20021010.12422900.3222565378@rafter.> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20021010.12422900.3222565378@rafter.> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 10, 2002 at 12:42:29PM +0000, Socketd wrote: > > write or modification access through access lists. But that's > > something we ought to reconsider when ACLs are widely available on > > FreeBSD, imho. > I am not the biggest fan of ACL's and I think we can solve this problem > with the tools we have now. We have /var and different daemons and the > kernel have to write messages to different files in that "dir". The > interface to /var/ should be syslogd, meaning that all files in that > "dir" should be owned by syslog. I can't see the need for ACL to make > syslogd a non-root daemon. What about running syslogd with '-ss' commandline options? IMHO it's a bit secure than default variant. -- Best regards, Roman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message