From owner-freebsd-stable  Wed Feb 27 23:54:59 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29])
	by hub.freebsd.org (Postfix) with ESMTP id 2A93537B400
	for <freebsd-stable@freebsd.org>; Wed, 27 Feb 2002 23:54:56 -0800 (PST)
Received: from randallkunkee.com ([65.65.19.145]) by mta5.rcsntx.swbell.net
 (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTP id <0GS800BRUGNJTL@mta5.rcsntx.swbell.net> for
 freebsd-stable@freebsd.org; Thu, 28 Feb 2002 01:54:55 -0600 (CST)
Date: Thu, 28 Feb 2002 01:55:33 -0600
From: Randy Kunkee <randy@randallkunkee.com>
Subject: running securelevel 2 and X
To: freebsd-stable@freebsd.org
Message-id: <3C7DE275.B8DE1205@randallkunkee.com>
MIME-version: 1.0
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2 i386)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Accept-Language: en, de
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I just upgraded to 4.5-stable and it reset my securelevel to 2 and
enabled.  Of course, X would not come up, x86OpenConsole failed with
this KDENABIO error.  The documentation I found on this suggests two
solutions, both of which advise using XDM.  First, running XDM from
/etc/ttys, did not work, producing the same error.  The second one,
running as a full daemon from /usr/local/etc/rc.d does work, as long as
I add a short sleep to give XDM time to start before securelevel is
changed by init after finishing the startup scripts.  The downside of
this is that if I ever abort XDM for some reason, I won't be able to
restart it, nor will I be able to start X directly (and playing with
XDM is enough fun in itself anyway).

Perhaps I have a conflict of interest.  I want to run X and be secure.
Is running X such a big gaping security hole that I'm left with my
current solution (to restart X, I must reboot!)?  Granted this shouldn't
happen very often, so perhaps that's the answer: don't kill XDM.  Is
there no reasonable change that could be made to the OS to grant access
to let the X server do its thing (ie. allow running startx) without
disarming the securelevel feature completely?

Randy


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message