From owner-freebsd-stable  Tue May 29 16:15:28 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 409B837B422
	for <stable@FreeBSD.ORG>; Tue, 29 May 2001 16:15:26 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f4TNFOu31573;
	Tue, 29 May 2001 16:15:24 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 29 May 2001 16:15:24 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200105292315.f4TNFOu31573@earth.backplane.com>
To: Seth <seth@psychotic.aberrant.org>
Cc: Vivek Khera <khera@kcilink.com>, stable@FreeBSD.ORG
Subject: Re: adding "noschg" to ssh and friends
References: <15124.4635.887375.682204@onceler.kciLink.com> <20010529145609.A1209@xor.obsecurity.org> <15124.7132.963202.560009@onceler.kciLink.com> <200105292211.f4TMBpB30316@earth.backplane.com> <20010529183239.B14308@psychotic.aberrant.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


:
:Can we agree that it (that is, securelevel > 0 and schg on selected binaries)
:raises the bar a bit higher?  If so, it seems to me that it might be worth
:doing (though most appropriately on a user-by-user basis).
:
:Seth.

    Putting on my security hat... no.  All you are doing is forcing the
    hacker to use some more obscure and possibly less detectable way to
    compromise the machine.  So, in fact, you could be making the problem
    *worse*.

						-Matt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message