Date: Fri, 17 Apr 1998 14:40:46 -0400 From: Matthew Hunt <mph@pobox.com> To: "Matthew N. Dodd" <winter@jurai.net> Cc: dima@best.net, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <19980417144046.41055@mph124.rh.psu.edu> In-Reply-To: <Pine.BSF.3.96.980417140750.523e-100000@sasami.jurai.net>; from Matthew N. Dodd on Fri, Apr 17, 1998 at 02:09:55PM -0400 References: <19980417005408.08278@mph124.rh.psu.edu> <Pine.BSF.3.96.980417140750.523e-100000@sasami.jurai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 17, 1998 at 02:09:55PM -0400, Matthew N. Dodd wrote: > Look at /etc/login.conf. If that doesn't set policy for the entire set of > all FreeBSD boxes I don't know what does. Why you didn't fuss about that > as much when it went in I'm not sure. (I think this discussion is out of proportion, so I will just address these issues and be done with it.) Two reasons: (a) login.conf resources limits address a genuine security issue, that of DoS attacks by resource exhaustion. I cannot see how reading the kernel can possibly be a security problem in and of itself. (b) I can change login.conf on my machine, and it will stay changed. If Makefile.i386 changes, changes I make will be destroyed by cvsup, so I have to change the Makefile whenever I build a kernel, or change the permissions right after "make install". > I detect an 'information wants to be free' additude though. Maybe its > just me... Yes, that's exactly it. I do not agree with hiding information unnecessarily. The belief that this change improves security seems like a "security by obscurity" approach. Hope this clarifies my opinions. -- Matthew Hunt <mph@pobox.com> * Stay close to the Vorlon. http://mph124.rh.psu.edu/~mph/pgp.key for PGP public key 0x67203349. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980417144046.41055>