From owner-freebsd-current  Mon Oct  7 02:28:50 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id CAA27791
          for current-outgoing; Mon, 7 Oct 1996 02:28:50 -0700 (PDT)
Received: from parkplace.cet.co.jp (parkplace.cet.co.jp [202.32.64.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA27784
          for <current@FreeBSD.org>; Mon, 7 Oct 1996 02:28:46 -0700 (PDT)
Received: from localhost (michaelh@localhost) by parkplace.cet.co.jp (8.8.0/CET-v2.1) with SMTP id JAA14300; Mon, 7 Oct 1996 09:28:38 GMT
Date: Mon, 7 Oct 1996 18:28:38 +0900 (JST)
From: Michael Hancock <michaelh@cet.co.jp>
To: Garrett Wollman <wollman@lcs.mit.edu>
cc: current@FreeBSD.org
Subject: Re: secure level diffs to kern_mib.c, LINT
In-Reply-To: <9610061827.AA22366@halloran-eldar.lcs.mit.edu>
Message-ID: <Pine.SV4.3.93.961007180656.14020A-100000@parkplace.cet.co.jp>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-current@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 6 Oct 1996, Garrett Wollman wrote:

> <<On Sun, 6 Oct 1996 12:41:00 +0900 (JST), Michael Hancock <michaelh@cet.co.jp> said:
> 
> > FreeBSD defaults securelevel to -1, use the following diffs if you prefer
> > normal bsd operations or want a choice.  Man init(8) for details.
> 
> I am strongly opposed to this patch, for reasons I have stated in this
> list in the past few days.

This security level stuff had an ambiguous design and a flawed
implementation.  It was ambiguous, but reasonable because it didn't
depend on an command randomly placed in the rc scripts.

By encouraging the use of sysctl -w in the rc scripts you're downgrading
the design to the level of the flawed implementation.  It seems we're
worse off then before.  "It's broken, let's break it more."

I can just see it now, Joe security wizard fixes init and the secure level
stuff and and says, "Ok, all you guys that followed the stupid advice of
putting sysctl -w kern.securelevel in rc, rc.local, or some other random
place, you can take those out now."

Wouldn't it be better to encourage a better design and implementation; 
than to encourage the use of flawed work-arounds just because the
implementation lets you?

Design interfaces they way they should work, if the implementation doesn't
work as designed, then write a good CAVEAT section in the man pages so
somebody can fix them with the least disruption to the community's
configurations.  At least create an opportunity for improvement.


Regards,


Mike Hancock