From owner-freebsd-security  Fri Jun 18  0:45:58 1999
Delivered-To: freebsd-security@freebsd.org
Received: from hq.leontief.ru (gw-lc.sut.ru [195.19.221.38])
	by hub.freebsd.org (Postfix) with ESMTP id 1126D14E87
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jun 1999 00:45:51 -0700 (PDT)
	(envelope-from slash@leontief.net)
Received: from MirStation.leontief.nw.ru (root@100Mbs-S0.leontief.nw.ru [194.190.151.253])
	by hq.leontief.ru (8.8.7/8.8.7) with ESMTP id MAA15400
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jun 1999 12:04:03 +0400 (MSD)
	(envelope-from slash@leontief.net)
Received: from MirStation.leontief.nw.ru (slash@localhost [127.0.0.1])
	by MirStation.leontief.nw.ru (8.8.7/8.8.7) with SMTP id LAA05546
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Jun 1999 11:47:28 +0400
From: Kirill Nosov <slash@leontief.net>
Reply-To: slash@leontief.net
Subject: Re: securelevel descr
Date: Fri, 18 Jun 1999 11:40:31 +0400
X-Mailer: KMail [version 1.0.17]
Content-Type: text/plain
References: <Pine.BSF.4.10.9906180119201.50701-100000@srh0710.urh.uiuc.edu>
MIME-Version: 1.0
Message-Id: <99061811465300.10975@MirStation.leontief.nw.ru>
Content-Transfer-Encoding: 8bit
To: freebsd-security@FreeBSD.ORG
X-KMail-Mark: 
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 18 Jun 1999, Frank Tobin wrote:

>I was talking over something with friends today, and we were trying to
>come with ideas for securelevels that would disable as much meaning out
>of being root, to limit the spread of being root if a box is 'rooted'.
>Specifically, we came to the conclusions that with most of /etc, /usr
>(with the notable exceptions of /etc/passwd, catman, /usr/local) could be
>chflagged simmutable, and a securelevel of 3 could really strengthen a
>box.  Of course, one additional thing that no secure level does that would
>be _really_ nice is that it would prevent more secure ports from being
>opened.
>

As far as i remeber there was a discussion about implementing the dependence
between uid and port you are able to open - to eliminate the 'priveleged ports'
concept. That was a great idea from my point of view.  If it will be
iimplemented in future FreeBSD versions ? As far as i see it is possible to be
done w/o any changes in '3rd party software' , just by means of FreeBSD core.

---
... I want to perform cranial activities with Tuesday Weld!!

/Slash.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message