From owner-freebsd-security  Mon Jun 15 04:07:11 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA18687
          for freebsd-security-outgoing; Mon, 15 Jun 1998 04:07:11 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18659
          for <security@FreeBSD.ORG>; Mon, 15 Jun 1998 04:06:54 -0700 (PDT)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id LAA14796;
	Mon, 15 Jun 1998 11:06:53 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id NAA26359;
	Mon, 15 Jun 1998 13:06:53 +0200 (MET DST)
Message-ID: <19980615130652.61198@follo.net>
Date: Mon, 15 Jun 1998 13:06:52 +0200
From: Eivind Eklund <eivind@yes.no>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: security@FreeBSD.ORG
Subject: Re: bsd securelevel patch question
References: <E0ylKaT-0001Nb-00@oak71.doc.ic.ac.uk> <199806151059.KAA13992@ns1.yes.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <199806151059.KAA13992@ns1.yes.no>; from Darren Reed on Mon, Jun 15, 1998 at 08:58:04PM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jun 15, 1998 at 08:58:04PM +1000, Darren Reed wrote:
> 
> btw, using the immutable flag(s) without setting the securelevel > 0 is
> fruitless as raw device access remains open...
> 
> using both, is required, if you're going to use either.

Of course.  If you have securelevel <= 0, you can just use chflags to
remove the immutable flag, so that is _truly_ pointless.  It doesn't
even slow down an attacker.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message