From owner-freebsd-stable  Thu Feb 28  5:45:16 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77])
	by hub.freebsd.org (Postfix) with ESMTP id 379D437B402
	for <stable@freebsd.org>; Thu, 28 Feb 2002 05:45:12 -0800 (PST)
Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1)
	id 16gK6s-000EDD-00; Thu, 28 Feb 2002 06:32:10 +0000
Date: Thu, 28 Feb 2002 06:32:09 +0000
From: Rasputin <rasputin@submonkey.net>
To: Randy Kunkee <randy@randallkunkee.com>
Cc: stable@freebsd.org
Subject: Re: running securelevel 2 and X
Message-ID: <20020228063209.B45581@shikima.mine.nu>
Reply-To: Rasputin <rasputin@submonkey.net>
References: <3C7DE275.B8DE1205@randallkunkee.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <3C7DE275.B8DE1205@randallkunkee.com>; from randy@randallkunkee.com on Thu, Feb 28, 2002 at 01:55:33AM -0600
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

* Randy Kunkee <randy@randallkunkee.com> [020228 01:17]:
> I just upgraded to 4.5-stable and it reset my securelevel to 2 and
> enabled.  Of course, X would not come up, x86OpenConsole failed with
> this KDENABIO error.  The documentation I found on this suggests two
> solutions, both of which advise using XDM.  First, running XDM from
> /etc/ttys, did not work, producing the same error.  The second one,
> running as a full daemon from /usr/local/etc/rc.d does work, as long as
> I add a short sleep to give XDM time to start before securelevel is
> changed by init after finishing the startup scripts.  The downside of
> this is that if I ever abort XDM for some reason, I won't be able to
> restart it, nor will I be able to start X directly (and playing with
> XDM is enough fun in itself anyway).

No, the idea behind running XDM is that if that opens /dev/io before the
securelevel is raised, it will be allowed to keep it open.
	Since xdm only starts once, you don't have trouble getting into an
X session once you log out like you would using startx.

> Perhaps I have a conflict of interest.  I want to run X and be secure.
> Is running X such a big gaping security hole that I'm left with my
> current solution (to restart X, I must reboot!)?  

In a word, yes. X needed direct access to /dev/io last time I looked.

> Is there no reasonable change that could be made to the OS to grant access
> to let the X server do its thing (ie. allow running startx) without
> disarming the securelevel feature completely?

There was a patch out about a year ago to use the 'aperture driver',
which basically opens a hole for X to squirt through.

Search the lists, not sure if it would apply to STABLE cleanly.

-- 
Be braver -- you can't cross a chasm in two small jumps.
Rasputin :: Jack of All Trades - Master of Nuns ::

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message