Date: Sun, 12 Nov 2006 09:57:55 -0500 From: Lowell Gilbert <lgusenet@be-well.ilk.org> To: lothrandil@n00b.apagnu.se (Niclas Zeising) Cc: freebsd-doc@freebsd.org Subject: Re: docs/104403: man security should mention that the usage of the X Window Systen is only possible with kern.securitylevel=-1 Message-ID: <44lkmg7lvw.fsf@be-well.ilk.org> In-Reply-To: <200611121400.kACE0g76065119@freefall.freebsd.org> (Niclas Zeising's message of "Sun, 12 Nov 2006 14:00:42 GMT") References: <200611121400.kACE0g76065119@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
lothrandil@n00b.apagnu.se (Niclas Zeising) writes: > The following reply was made to PR docs/104403; it has been noted by GNATS. > > From: Niclas Zeising <lothrandil@n00b.apagnu.se> > To: Giorgos Keramidas <keramida@freebsd.org> > Cc: bug-followup@freebsd.org, doc@freebsd.org > Subject: Re: docs/104403: man security should mention that the usage of the > X Window Systen is only possible with kern.securitylevel=-1 > Date: Sun, 12 Nov 2006 14:55:42 +0100 > > Giorgos Keramidas wrote: > > On 2006-11-12 10:52, Niclas Zeising <lothrandil@n00b.apagnu.se> wrote: > >> Giorgos Keramidas wrote: > >>>> With kern.securitylevel=0 or higher it is not possible to start X. > >>> You can still use `xdm' or a similar way of starting X11, because > >>> it will be started by init(8) before the securelevel is raised by > >>> the `/etc/rc.d/securelevel' script. > >>> > >>> I don't think this is worth mentioning in security(7), because > >>> we can't possibly document *ALL* the possible things that can > >>> fail with a bumped securelevel. > >> It it probably worth mentioning somewhere, as it will avoid some foot > >> shooting from unaware users. One can discuss though that if the extra > >> security provided by the security level is needed, maybe the system > >> shouldn't run X in the first place. > > > > I'm not sure. > > > > Should we also mention that you can't "installworld" with an elevated > > securelevel, because chflags may fail to work and cause problems? > > Should we also mention that not being able to change the firewall rules > > can be tricky, if you are testing your new firewall ruleset, and get > > locked out? > > > > There are *MANY* ways in which an elevated securelevel can turn around > > and bite you in the ass, but do we _really_ have to enumerate them all > > in mind-boggingly detail? ... in a single manpage? > > > > I really don't know. > > > > I believe they should be documented somewhere, to avoid questions. Sure, but they already are. Given that both the X and installworld issues have been in the FAQ for years, I don't think adding MORE documentation will help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44lkmg7lvw.fsf>